Announcing AWS STS support for ECDSA-based signatures of OIDC tokens

Posted on: Nov 22, 2024

Today, AWS Security Token Service (STS) is announcing support for digitally signing OpenID Connect (OIDC) JSON Web Tokens (JWTs) using Elliptic Curve Digital Signature Algorithm (ECDSA) keys. A digital signature guarantees the JWT’s authenticity and integrity and ECDSA is a popular, NIST-approved digital signature algorithm. When your identity provider (IdP) authenticates a user, it crafts a signed OIDC JWT representing that user’s identity. When your authenticated user calls the AssumeRoleWithWebIdentity API and passes their OIDC JWT, STS vends short-term credentials that enable access to your protected AWS resources.

You now have a choice between using RSA and ECDSA keys when your IdP digitally signs an OIDC JWT. To begin using ECDSA keys with your OIDC IdP, update your IdP’s JWKS document with the new key information. No change to your AWS Identity and Access Management (IAM) configuration is needed to use ECDSA-based signatures of your OIDC JWTs.

Support for ECDSA-based signatures of OIDC JWTs is available in all AWS Regions, including the AWS GovCloud (US) Regions .

To learn more about using OIDC to authenticate your users and workloads, please visit OIDC Federation in the IAM Users Guide.