What causes "Incorrect token audience" using Google authentication tokens with AWS
Asked Answered
B

0

9

I'm creating a simple web application that will use Google authentication to return an OpenID token, and then pass that token to AWS using javascript WebIdentityCredentials.

What I have done:

  1. Created the Google Project, and saved the OAuth ClientID
  2. Created an IAM role using Google IDP, and OAuth ClientID as Audience field.
  3. Include both Google API and AWS API javascript in web page configured with above.
  4. (Client) Request the id token from Google using the google js api
  5. Configure the id token on an WebIdentityCredentials
  6. Retrieve the AWS credentials (using that token)

When retrieving the credentials, I get this error from STS:

<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>InvalidIdentityToken</Code>
    <Message>Incorrect token audience</Message>
  </Error>
  <RequestId>28d09368-bf98-11e5-b52f-953b4c773ebf</RequestId>
</ErrorResponse>

Here is the AWS role:

{
  "Version": "2012-10-17",
  "Statement": [{
      "Effect": "Allow",
      "Principal": {"Federated": "accounts.google.com"},
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "accounts.google.com:aud": "<my-oauth-client-id>"
        }
      }
    }
  ]
}

And here is the code I use to configure the token on the AWS context:

AWS.config.update({
   region: 'us-east-1',
   credentials: new AWS.WebIdentityCredentials({
     RoleArn: 'arn:aws:iam::<my-acct>:role/lab-amp-google-idp',
     WebIdentityToken : token
   })
});

And here is where I test the credentials by fetching them:

AWS.config.credentials.get(function(err) {
   if (err) console.log(err);
   else console.log(AWS.config.credentials);
});

I have validated the id token using jwt.io and I can see it has the proper expected fields. The "aud" and "azp" properties have the OAuth Client ID. I also double checked the Trust stansza in the AWS role to confirm it also has the exact same OAuth Client ID in the Condition.

I have passed in other invalid tokens and altered the RoleArn just to see the different errors, which I do.

I cannot find anything on the web describing reasons for "Incorrect token audience" so I'm at a loss for what to try next.

Blackandwhite answered 20/1, 2016 at 17:55 Comment(2)
I was able to get past the error by deleting an Identify Provider I had set up for Cognito. But I still don't know why that was causing the issue. The question of "what causes .." is still valid if someone knows the answer.Blackandwhite
I'm having the same issue...Dickinson

© 2022 - 2024 — McMap. All rights reserved.