You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+8-4Lines changed: 8 additions & 4 deletions
Original file line number
Diff line number
Diff line change
@@ -17,19 +17,23 @@ Before using this tool, you or the system administrator need to setup the follow
17
17
18
18
Also depending on the federation method between AWS and the OIDC provider, requirements for the OIDC providers will change.
19
19
20
-
##For SAML2
20
+
### Federation method: SAML2
21
21
- Of course, the OIDC provider must support not only OIDC but also SAML2 for federation between itself and AWS.
22
22
- The OIDC provider must support [OAuth 2.0 Token Exchange](https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-15) for exchanging OAuth/OIDC token and SAML2 assertion. `aws-cli-oidc` gets access token/ID token from the OIDC provider first, then it needs to get SAML2 assertion from the provider which is required for getting AWS temporary credentials using AWS STS API.
23
23
24
-
##For OIDC
24
+
### Federation method: OIDC
25
25
- The OIDC provider only needs to support OIDC. SAML2 and OAuth 2.0 Token Exchange are not necessary. Very simple.
26
26
- However, the JWKS endpoint of the OIDC provider needs to export it to the Internet because AWS try to access the endpoint to obtain the public key and to verify the ID token which is issued by the provider.
27
27
28
28
29
29
## Tested OIDC Provider
30
30
31
-
Currently I tested this tool using [Keycloak](https://keycloak.org) as the OIDC provider.
32
-
Note: You can't use SAML2 without extension which supports exchanging from access token to SAML2 assertion because Keycloak supports [OAuth 2.0 Token Exchange](https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-15) partially and doesn't support SAML2 assertion yet.
31
+
| OIDC Provider | OIDC | SAML2 |
32
+
| ---- | ---- | ---- |
33
+
|[Google account](https://accounts.google.com/.well-known/openid-configuration)| OK | - |
34
+
|[Keycloak](https://www.keycloak.org)| OK | OK (Note 1) |
35
+
36
+
* Note 1: You can't use SAML2 without extension which supports exchanging from access token to SAML2 assertion because Keycloak supports [OAuth 2.0 Token Exchange](https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-15) partially and doesn't support SAML2 assertion yet.
0 commit comments