AWS OIDC authentication fails with Azure AD V2 access token with "Incorrect token audience"

73 views Asked by At

I'm currently working on implementing AWS OIDC authentication with Azure AD (AAD) as the OpenID provider. I have two applications (appId1, appId2).

I use appId1 to authenticate with AAD and obtain a token for appId2, meaning that the AAD access token has appId2 as its audience.

Subsequently, I invoke AssumeRoleWithWebIdentityAsync() by providing the AAD access token. This configuration functions properly with AAD access token V1 but encounters issues with AAD access token V2 i.e., AWS OIDC authentication was successful using AAD access token V1 but not with AAD access token V2.

I have confirmed that my AWS account has the correct OIDC authentication configuration. Specifically, I have added appId2 to the OIDC clientID list, and appId2 has been granted assumeRole permissions to the AWS IAM role.

This seems to be a bug in the AWS OIDC authentication using AAD V2 access tokens using two AAD applications.

Please look into the attached document for more details, https://github.com/aws/aws-sdk-net/files/12968773/AWS_V2_accesstoken_error.docx

Video recording

AAD V2 access token recording (https://balupublicclouds.blob.core.windows.net/aws-oidc-auth/AWS%20OIDC%20-%20AAD%20v2%20access%20token%20failure.mp4)

AAD V1 access token recording (https://balupublicclouds.blob.core.windows.net/aws-oidc-auth/AWS%20OIDC%20auth%20v1%20access%20token%20working.mp4)

Please find the AWS Cloud formation template used in both the cases.

OIDCAuth-AAD-V1-access-token (https://github.com/aws/aws-sdk-net/files/13302135/OIDCauth-V1-outlook-tenant.txt)

OIDCAuth-AAD-V2-access-token (https://github.com/aws/aws-sdk-net/files/13302136/OIDCauth-V2-outlook-tenant.txt)

Please note, when utilizing AAD access token V2, if I employ appId2 for authentication with AAD and obtain a token for itself (where the AAD access token has appId2 as its audience) and present this token, the AWS OIDC authentication succeeds.

0

There are 0 answers