New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS OIDC authentication failure (Incorrect token audience) with two applications #3071
Comments
@normj, @ashishdhingra, could you please have a look at this issue. |
@bagajjal Good morning. I do not think this is an SDK issue. Could you please refer https://repost.aws/knowledge-center/eks-troubleshoot-oidc-and-irsa which has details on how to check if the audience is correct? Thanks, |
@ashishdhingra, I refer to https://repost.aws/knowledge-center/eks-troubleshoot-oidc-and-irsa but it didn't answer my question. |
@ashishdhingra , this seems to be a clear bug on AWS side as the same setup (using 2 applications) works for AAD V1 access token but not for the AAD v2 access token. |
@bagajjal Could you please confirm your audience for OIDC? I'm unsure if something changed in AAD V2. Kindly note that most of the The audience is configured while creating identity provider as shown below: Also refer Creating OpenID Connect (OIDC) identity providers if you want to add additional audiences (client IDs). Could you also share the minimal code solution and set up steps, that reproduces the issue? Thanks, |
This issue has not received a response in 5 days. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled. |
@ashishdhingra, I did the recording for both AAD V2 access token (Failed case) and the AAD V1 access token. Please reopen this issue for tracking. Failure scenario, AAD V2 access token using two applicationIds recording Success scenario, AAD V1 access token using two applicationIds recording Success scenario, AAD V2 access token using only one applicationId recording |
Please find the AWS Cloud formation template used in both the cases. |
@ashishdhingra , any update? |
Describe the bug
I apologize if this issue seems out of place here. If it is, please inform me of the appropriate GitHub repository to move this issue.
I'm currently working on implementing AWS OIDC authentication with Azure AD (AAD) as the OpenID provider. I have two applications (appId1, appId2). When using appId1 to authenticate with AAD, I obtain a token for appId2, meaning that the AAD access token has appId2 as its audience. Subsequently, I invoke AssumeRoleWithWebIdentityAsync() by providing the AAD access token. This configuration functions properly with AAD access token V1 but encounters issues with AAD access token V2 i.e., AWS OIDC authentication was successful using AAD access token V1 but not with AAD access token V2.
When utilizing AAD access token V2, if I employ appId2 for authentication with AAD and obtain a token for itself (where the AAD access token has appId2 as its audience) and present this token, the AWS OIDC authentication succeeds.
I have confirmed that my AWS account has the correct OIDC authentication configuration. Specifically, I have added appId2 to the OIDC clientID list, and appId2 has been granted assumeRole permissions to the AWS IAM role.
This seems to be a bug in the AWS OIDC authentication using AAD V2 access tokens using two AAD applications.
Please look into the attached document for more details,
AWS_V2_accesstoken_error.docx
Code for AWS OIDC authentication using AAD V2 access token
`
`
Expected Behavior
AWS OIDC authentication should succeed.
Current Behavior
AWS OIDC authentication fails with "Incorrect token audience" if we use AAD v2 access token with 2 applications.
Reproduction Steps
Possible Solution
No response
Additional Information/Context
No response
AWS .NET SDK and/or Package version used
"AWSSDK.SecurityToken" Version="3.7.102.2"
Targeted .NET Platform
.NET 7
Operating System and version
Windows 11
The text was updated successfully, but these errors were encountered: