Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS OIDC authentication failure (Incorrect token audience) with two applications #3071

Closed
bagajjal opened this issue Oct 17, 2023 · 10 comments
Closed

AWS OIDC authentication failure (Incorrect token audience) with two applications #3071

bagajjal opened this issue Oct 17, 2023 · 10 comments
Labels
bug This issue is a bug. closed-for-staleness credentials response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@bagajjal
Copy link

Describe the bug

I apologize if this issue seems out of place here. If it is, please inform me of the appropriate GitHub repository to move this issue.

I'm currently working on implementing AWS OIDC authentication with Azure AD (AAD) as the OpenID provider. I have two applications (appId1, appId2). When using appId1 to authenticate with AAD, I obtain a token for appId2, meaning that the AAD access token has appId2 as its audience. Subsequently, I invoke AssumeRoleWithWebIdentityAsync() by providing the AAD access token. This configuration functions properly with AAD access token V1 but encounters issues with AAD access token V2 i.e., AWS OIDC authentication was successful using AAD access token V1 but not with AAD access token V2.

When utilizing AAD access token V2, if I employ appId2 for authentication with AAD and obtain a token for itself (where the AAD access token has appId2 as its audience) and present this token, the AWS OIDC authentication succeeds.

I have confirmed that my AWS account has the correct OIDC authentication configuration. Specifically, I have added appId2 to the OIDC clientID list, and appId2 has been granted assumeRole permissions to the AWS IAM role.

This seems to be a bug in the AWS OIDC authentication using AAD V2 access tokens using two AAD applications.

Please look into the attached document for more details,
AWS_V2_accesstoken_error.docx

Code for AWS OIDC authentication using AAD V2 access token
`

private async Task<AwsCredentials> AcquireAwsCredentials()
{
    var token = await GetToken(this.solutionFirstPartyAppappId, this.solutionFirstPartyApptenantId, this.solutionFirstPartyAppcertpath, this.aadInstance, this.partnerAppId);

    var request = new AssumeRoleWithWebIdentityRequest
    {
        RoleSessionName = roleAuthorizationData.RoleSessionName,
        RoleArn = roleAuthorizationData.RoleArn,
        WebIdentityToken = token
    };

    AmazonSecurityTokenServiceClient amazonSecurityTokenServiceClient = new AmazonSecurityTokenServiceClient(new AnonymousAWSCredentials());

    var assumeRoleWithWebIdentityResponse = await amazonSecurityTokenServiceClient.AssumeRoleWithWebIdentityAsync(request);
    Console.WriteLine("Successfully got AWS temporary security credentials");
}

private static async Task<string> GetToken(string appId, string tenantId, string certPath, string aadInstance, string audience)
{
    bool withSendX5C = false;
    var clientCert = new X509Certificate2(certPath);
    var azureRegion = ConfidentialClientApplication.AttemptRegionDiscovery;
    var authority = $"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token";
    var application = ConfidentialClientApplicationBuilder.Create(appId)
    .WithCertificate(clientCert, withSendX5C)
    .WithAuthority(authority)
    .WithAzureRegion(azureRegion)
    .Build();
    var requestBuilder = application.AcquireTokenForClient(new string[] { $"api://{audience}/.default" });
    if (withSendX5C)
    {
        requestBuilder = requestBuilder.WithSendX5C(true);
    }

    AuthenticationResult authResult = await requestBuilder.ExecuteAsync();
    Console.WriteLine($"AAD Token: {authResult.AccessToken}");

    return authResult.AccessToken;
}

`

Expected Behavior

AWS OIDC authentication should succeed.

Current Behavior

AWS OIDC authentication fails with "Incorrect token audience" if we use AAD v2 access token with 2 applications.

Reproduction Steps

  1. Create 2 applications in AAD, Azure AD.
  2. Using appId1 credentials authenticate with AD and request token for appId2. i.e., AAD will return AAD V2 access token with audience as appId2.
  3. Now call the AssumeRoleWithWebIdentityAsync()
  4. AWS OIDC authentication call fails with "Incorrect token audience".

Possible Solution

No response

Additional Information/Context

No response

AWS .NET SDK and/or Package version used

"AWSSDK.SecurityToken" Version="3.7.102.2"

Targeted .NET Platform

.NET 7

Operating System and version

Windows 11
@bagajjal bagajjal added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 17, 2023
@bagajjal
Copy link
Author

@bagajjal
Copy link
Author

@normj, @ashishdhingra, could you please have a look at this issue.

@ashishdhingra
Copy link
Contributor

@bagajjal Good morning. I do not think this is an SDK issue. Could you please refer https://repost.aws/knowledge-center/eks-troubleshoot-oidc-and-irsa which has details on how to check if the audience is correct?

Thanks,
Ashish

@ashishdhingra ashishdhingra added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed needs-triage This issue or PR still needs to be triaged. labels Oct 20, 2023
@bagajjal
Copy link
Author

@ashishdhingra, I refer to https://repost.aws/knowledge-center/eks-troubleshoot-oidc-and-irsa but it didn't answer my question.
Is there a different GitHub repository that I can post this question?

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Oct 24, 2023
@bagajjal
Copy link
Author

@ashishdhingra , this seems to be a clear bug on AWS side as the same setup (using 2 applications) works for AAD V1 access token but not for the AAD v2 access token.

@ashishdhingra
Copy link
Contributor

@ashishdhingra , this seems to be a clear bug on AWS side as the same setup (using 2 applications) works for AAD V1 access token but not for the AAD v2 access token.

@bagajjal Could you please confirm your audience for OIDC? I'm unsure if something changed in AAD V2. Kindly note that most of the AWSSDK.SecurityToken package is autogenerated, hence doesn't appear to be AWS .NET SDK issue. The error clearly indicates that incorrect audience is set.

The audience is configured while creating identity provider as shown below:
Screenshot 2023-10-24 at 3 41 56 PM

Also refer Creating OpenID Connect (OIDC) identity providers if you want to add additional audiences (client IDs).

Could you also share the minimal code solution and set up steps, that reproduces the issue?

Thanks,
Ashish

@ashishdhingra ashishdhingra added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Oct 24, 2023
@github-actions
Copy link

This issue has not received a response in 5 days. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Oct 30, 2023
@github-actions github-actions bot closed this as completed Nov 1, 2023
@bagajjal
Copy link
Author

bagajjal commented Nov 8, 2023
edited

@ashishdhingra, I did the recording for both AAD V2 access token (Failed case) and the AAD V1 access token. Please reopen this issue for tracking.

Failure scenario, AAD V2 access token using two applicationIds recording

Success scenario, AAD V1 access token using two applicationIds recording

Success scenario, AAD V2 access token using only one applicationId recording

@bagajjal
Copy link
Author

bagajjal commented Nov 8, 2023
edited

Please find the AWS Cloud formation template used in both the cases.

AWS-OIDCauth-V1.txt
AWS-OIDCauth-V2.txt

@bagajjal
Copy link
Author

@ashishdhingra , any update?

@bagajjal bagajjal mentioned this issue Nov 14, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. closed-for-staleness credentials response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bagajjal @ashishdhingra