Auth0 Home Blog Docs

AWS token delegation flow yields tokens that are already expired




I’m trying to implement the approach documented here:

And I have authentication set up and mostly working - I get AWS credentials back to my JS app. However, the credentials have an expiry set as the same time as when delegation call was made, which renders them unusable. I have tried setting the rule as follows, to try and control the lifetime, but it had no effect:

function (user, context, callback) {
  if (context.protocol === 'delegation') {
    // set AWS settings
    user.awsRoles = "arn:aws:iam::snip:saml-provider/our-auth0,arn:aws:iam::snip:role/some-default-role"];

  if(user.aws_roles) {
    for(var i=0; i<user.aws_roles.length; i++) {
      var role = user.aws_roles*;
      for(var j=0; j<role.roles.length; j++) {
        user.awsRoles.push("arn:aws:iam::" + role.account + ":saml-provider/our-auth0,arn:aws:iam::" + role.account + ":role/some-" + role.roles[j]);
    context.addonConfiguration = context.addonConfiguration || {}; = || {}; = 'arn:aws:iam::snip:saml-provider/our-auth0'; = 'arn:aws:iam::snip:role/some-default-role'; = {
    '': 'awsRoles',
    '': 'email',
    '': '43200'

  callback(null, user, context);

We use a similar approach for AWS console login, and it works great. We have a list of permitted accounts and roles stored per user, and add those dynamically. In the console SAML approach AWS presents a list of roles when logging in, is it possible to specify which of the permitted roles I want to use via the Auth0 JS API? Like this?

var options = {
                    id_token: result.idToken,
                    api: 'aws',
                    role: ROLE_CHOSEN_BY_USER,
                    principal: ARN_TO_ACCOUNT_PRINCIPAL

                auth0.getDelegationToken(options, function (err, delegationResult) {
                    $('#result').append(JSON.stringify(delegationResult.Credentials, null, '\t'));

My thanks in advance for any help you can provide!*