Posted On: Nov 20, 2024
Today, Amazon Security Token Service (STS) is announcing support for digitally signing OpenID Connect (OIDC) JSON Web Tokens (JWTs) using Elliptic Curve Digital Signature Algorithm (ECDSA) keys. A digital signature guarantees the JWT’s authenticity and integrity and ECDSA is a popular digital signature algorithm. When your identity provider (IdP) authenticates a user, it crafts a signed OIDC JWT representing that user’s identity. When your authenticated user calls the AssumeRoleWithWebIdentity API and passes their OIDC JWT, STS vends short-term credentials that enable access to your protected Amazon Web Services resources.
You now have a choice between using RSA and ECDSA keys when your IdP digitally signs an OIDC JWT. To begin using ECDSA keys with your OIDC IdP, update your IdP’s JWKS document with the new key information. No change to your Amazon Identity and Access Management (IAM) configuration is needed to use ECDSA-based signatures of your OIDC JWTs.
Support for ECDSA-based signatures of OIDC JWTs is available in the Amazon Web Services China (Beijing) Region, operated by Sinnet, and the Amazon Web Services China (Ningxia) Region, operated by NWCD.
To learn more about using OIDC to authenticate your users and workloads, please visit OIDC Federation in the IAM Users Guide.