All AWS OIDC integrations will break before 31th Dec 2024
A massive complain about
An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint
errors is to be expected when the intermediate certificate used by CloudFlare to issue gitlab.com TLS certificate is expired.
After that, the issue will chronically repeat each time
- your CA rotates the operative intermediate certificate (nearest deadline 31th Dec 2024)
- your CA rotates their root certificate (nearest deadline 12th May 2025)
- you change your CA of choice (die at your will)
This is because AWS requires fingerprinting CA intermediate certificate. Fingerprinting end certificates also works but breaks at an even higher frequency (each time gitlab.com TLS cert is renewed! e.g. see guided-explorations/aws/configure-openid-connect-in-aws#3). Unlike the sensible thing to do, AWS does not validate the TLS cert with a pre-trusted root certificate list but with this fingerprint which can't be updated by gitlab.com users before it breaks. IMHO this is an AWS issue.
BUT
There is a mitigation GitLab could setup. According to AWS docs, if the OIDC provider JWKS endpoint is hosted in S3, TLS will be automatically trusted, ignoring any TLS fingerprint, outdated or not. So, if the jwks_uri
URL listed in https://gitlab.com/.well-known/openid-configuration pointed to an S3 bucket, this would be pretty much alleviated.
I understand one would be reluctant to tailor their OIDC infrastructure around this AWS shortcoming, but it would really help if it was all the same to you. Still felt the issue ought to be reported.
Note such a change would not affect other OIDC consumers unless their are equally unreasonably picky as AWS is.