Auth0 Home Blog Docs

AWS token delegation flow yields tokens that are already expired

javascript
delegation
access-token
tokens
aws

#1

Hi!

I’m trying to implement the approach documented here:

https://auth0.com/docs/integrations/aws#obtain-aws-tokens-to-securely-call-aws-apis-and-resources

And I have authentication set up and mostly working - I get AWS credentials back to my JS app. However, the credentials have an expiry set as the same time as when delegation call was made, which renders them unusable. I have tried setting the rule as follows, to try and control the lifetime, but it had no effect:

function (user, context, callback) {
  if (context.protocol === 'delegation') {
    // set AWS settings
    user.awsRoles = "arn:aws:iam::snip:saml-provider/our-auth0,arn:aws:iam::snip:role/some-default-role"];

  if(user.aws_roles) {
    for(var i=0; i<user.aws_roles.length; i++) {
      var role = user.aws_roles*;
      for(var j=0; j<role.roles.length; j++) {
        user.awsRoles.push("arn:aws:iam::" + role.account + ":saml-provider/our-auth0,arn:aws:iam::" + role.account + ":role/some-" + role.roles[j]);
      }
    }
  }
    
    
    context.addonConfiguration = context.addonConfiguration || {};
    context.addonConfiguration.aws = context.addonConfiguration.aws || {};
    context.addonConfiguration.aws.principal = 'arn:aws:iam::snip:saml-provider/our-auth0';
    context.addonConfiguration.aws.role = 'arn:aws:iam::snip:role/some-default-role';
    
    context.addonConfiguration.aws.mappings = {
    'https://aws.amazon.com/SAML/Attributes/Role': 'awsRoles',
    'https://aws.amazon.com/SAML/Attributes/RoleSessionName': 'email',
    'https://aws.amazon.com/SAML/Attributes/SessionDuration': '43200'
  };
  }

  callback(null, user, context);
}

We use a similar approach for AWS console login, and it works great. We have a list of permitted accounts and roles stored per user, and add those dynamically. In the console SAML approach AWS presents a list of roles when logging in, is it possible to specify which of the permitted roles I want to use via the Auth0 JS API? Like this?

var options = {
                    id_token: result.idToken,
                    api: 'aws',
                    role: ROLE_CHOSEN_BY_USER,
                    principal: ARN_TO_ACCOUNT_PRINCIPAL
                };



                auth0.getDelegationToken(options, function (err, delegationResult) {
                    console.log(err);
                    $('#result').append(JSON.stringify(delegationResult.Credentials, null, '\t'));
                });

My thanks in advance for any help you can provide!*


#2