Home ci 17. security / secure-backend-access / oidc: reference

17. security / secure-backend-access / oidc: reference

Last updated on Aug 05, 2025

To validate an OIDC token and integrate it with AWS IAM for role assumption, follow these steps:

  1. Retrieve JWK:

    • Fetch the JSON Web Key (JWK) from jwks_uri using the kid from the token's header. This can be done by making a GET request to the URL retrieved from the OpenID Connect configuration.

  2. Verify JWT Signature:

    • Use the retrieved JWK to verify the signature of the JWT. This ensures the token is legitimate and secure.

  3. Extract Claims:

    • Decode the JWT to extract the payload, which includes claims such as iss, aud, sub, exp, etc.

  4. Validate Claims:

    • Ensure the audience (aud) matches https://epycbyte.com/[TEAM_SLUG].
    • Confirm the subject (sub) aligns with owner:[TEAM_SLUG]:project:[PROJECT_NAME]:environment:[ENVIRONMENT].

  5. Check Expiration:

    • Convert the exp claim from seconds since epoch to a human-readable format to determine the token's validity period.

  6. Integrate with AWS IAM:

    • Structure an IAM policy document with conditions that check the validated claims.
    • Use these policies in AWS IAM roles to control access based on the token's attributes.

  7. Handle Errors and Expiration:

    • Implement mechanisms to handle invalid or expired tokens, such as returning appropriate HTTP errors or denying access if necessary.

  8. Test and Monitor:

    • Test the setup with actual tokens to ensure correct behavior.
    • Continuously monitor for issues like token expiration or configuration changes that might affect access control.