I’m trying to generate temporary credentials in AWS using the AssumeRoleWithWebIdentity endpoint, with Auth0 as my Identity Provider. I’ve got everything set up correctly as far as I can tell, but I can’t seem to figure out how to set the audience properly so that the IAM IdP configuration and Auth0 agree. I’ve gone so far as to create a custom API hoping that by setting its identifier to a non-URL that would let me set the audience for Auth0 calls against this API, but it seems like it still uses the domain as audience, vs. the name I chose.
That is, I have set the identifier/audience in my custom API to be test-auth0-integration-2018-07-09, and when I make the initial call with that audience, it appears to work (swapped out names/credentials below if it’s not obvious):
$ curl --request POST \
> --url https://my-app.auth0.com/oauth/token \
> --header 'content-type: application/json' \
> --data '{"client_id":"<client-id>","client_secret":"<client-secret>,"audience":"test-auth0-integration-2018-07-09","grant_type":"client_credentials"}'
# Response:
{"access_token":"<some-token>","expires_in":86400,"token_type":"Bearer"}
Then I make the call to STS with the token I got back:
$ curl --request POST --url "https://sts.amazonaws.com/?Action=AssumeRoleWithWebIdentity&Version=2011-06-15&RoleArn=<some-arn>&RoleSessionName=me&WebIdentityToken=<some-token>"
…and it fails, and the audience is the URL vs. the identifier, as I had hoped:
<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<Error>
<Type>Sender</Type>
<Code>InvalidIdentityToken</Code>
<Message>No OpenIDConnect provider found in your account for https://my-app.auth0.com/</Message>
</Error>
<RequestId>0e43d2f0-839d-11e8-9480-c9663281aad0</RequestId>
</ErrorResponse>
What am I doing wrong? How do I set the audience on the Auth0 side so it is consistent with what I have in my IAM IdP config on the AWS side?
Thanks!