+++ This bug was initially created as a clone of Bug #2324153 +++ Description of problem: with incorrect thumbprints in the OIDC provider, sts assume-role-with-web-identity request is successful bypassing thumbprint verification log snippet: actual thumbprints of the identity provider: [cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ ./obtain_oidc_thumbprint.sh C2746A3F9F2A39308C65031997971DC217DFE396 FB0E550188A5283990B1313D313712AE5BB82F45 [cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ sts aswi request is successful with fake thumbprints in the OIDC provider: [cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ aws --endpoint-url https://10.0.65.88:443 --no-verify-ssl iam list-open-id-connect-providers /usr/lib/python3.9/site-packages/urllib3/connectionpool.py:1018: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.65.88'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings warnings.warn( { "OpenIDConnectProviderList": [ { "Arn": "arn:aws:iam:::oidc-provider/10.0.64.108:8180/realms/master" } ] } [cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ [cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ aws --endpoint-url https://10.0.65.88:443 --no-verify-ssl iam get-open-id-connect-provider --open-id-connect-provider-arn "arn:aws:iam:::oidc-provider/10.0.64.108:8180/realms/master" /usr/lib/python3.9/site-packages/urllib3/connectionpool.py:1018: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.65.88'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings warnings.warn( { "Url": "http://10.0.64.108:8180/realms/master", "ClientIDList": [ "account", "sts_client" ], "ThumbprintList": [ "E292963BBB547E837805C088572EB0C3D97AB3F0", "A2A1930F45FA426142B7D2FF34F936020691B99C" ], "CreateDate": "2024-11-05T18:49:44.130Z" } [cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ [cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ aws --endpoint-url https://10.0.65.88:443 --no-verify-ssl sts assume-role-with-web-identity --role-arn arn:aws:iam:::role/S3RoleOf.coryd.550 --role-session-name session1 --web-identity-token "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlUlA4c0VueGh3MG5NVVN1bHhUXzVSMFJUSnNxVmg5Z0hEck4tYzNyRUdjIn0.eyJleHAiOjE3MzA4MzczNzQsImlhdCI6MTczMDgzMzc3NCwianRpIjoiZjZjNmQ0MjItZjEyYS00Y2I5LWJiYTctYzQ3OWMzNTMxNzFmIiwiaXNzIjoiaHR0cDovLzEwLjAuNjQuMTA4OjgxODAvcmVhbG1zL21hc3RlciIsImF1ZCI6WyJhY2NvdW50IiwibWFzdGVyLXJlYWxtIl0sInN1YiI6Ijc1NTAyMWE5LTM1ODAtNGI5Zi04MjQzLWNiMTVkYmQ0YWFhYyIsInR5cCI6IkJlYXJlciIsImF6cCI6InN0c19jbGllbnQiLCJhY3IiOiIxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImNyZWF0ZS1yZWFsbSIsImRlZmF1bHQtcm9sZXMtbWFzdGVyIiwib2ZmbGluZV9hY2Nlc3MiLCJhZG1pbiIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsibWFzdGVyLXJlYWxtIjp7InJvbGVzIjpbInZpZXctaWRlbnRpdHktcHJvdmlkZXJzIiwidmlldy1yZWFsbSIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwiY3JlYXRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInF1ZXJ5LXJlYWxtcyIsInZpZXctYXV0aG9yaXphdGlvbiIsInF1ZXJ5LWNsaWVudHMiLCJxdWVyeS11c2VycyIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50cyIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9yaXphdGlvbiIsIm1hbmFnZS1jbGllbnRzIiwicXVlcnktZ3JvdXBzIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBzZXNzaW9uX3RhZ3Nfc2NvcGUgZW1haWwgc2V0X2F1ZGllbmNlX3Njb3BlIHByb2ZpbGUiLCJjbGllbnRIb3N0IjoiMTAuMC42NC4xMDgiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1zdHNfY2xpZW50IiwiY2xpZW50QWRkcmVzcyI6IjEwLjAuNjQuMTA4IiwiY2xpZW50X2lkIjoic3RzX2NsaWVudCJ9.YkUGztOBQj9MZTf3WsEifcBeUbQmjEC-AtvhlMogs75ZlQC7VvfICLLYj9ulrMzJDVMHSFn3eG645wRUnH6o_WVxOR6Jpup5RypJ_l_uWKh4ojsRqBAyNkClki1wGzEQPlwHycKRO7d_lSSAeutqxba5ebIX9wQO9xLfEn-a6Al84ELuq2wVQIzI5hal2vT7PApn-rdfsnlPva634PzSJ4bIjOCqIKMGFmEe35xaCYg3UUKc3m0R9xAmGNVhFLahqc0TLg6Rse7kosLrOgQITaWyTcqBj0cTejF9DZWiFgG7Z7Sg48_XIc2WwM-J0l8w1MiFmr8JsUe6xun-6uZJxQ" /usr/lib/python3.9/site-packages/urllib3/connectionpool.py:1018: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.65.88'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings warnings.warn( { "Credentials": { "AccessKeyId": "cOC29o1YL1dp0O7TahgI", "SecretAccessKey": "1C4YQR65H8HFVQ860KMLBYDSM109SCDX082CFRGK", "SessionToken": "v1C6u04WqxEtAnDvKMWZZpcj7N+pKRe2lV7+WY9YrgY75y3ITcu0jO8Y8Qs3yYvQXBXf22dlHyHdu1WA38UoZw4RF6Ue/w119iIOAzg8imQXyrCLZQ+L8Qyg4XeZr7mskjT9HLZUvUjlEas8sWYSfcNZpBfuCsM+TH0bak4WnpFzx+51A/o5XloIESX3KdAWPTkbN0oEdJn3Oi8gk+SCp09U32Iya0XAn0QUcxqhJJOX8w7gnGC6+Nhzp1OMkuaCD5bnAiozDylsOSrFr8XQZwMmkdS6wMhXnO3J3Sgb9RKjfDlTtqm27cm5TGL6joPDvu9KCUXkr6ZLUjeCNfw7VaG+u+msSHU1pgjqwuZW1BosT+J/PJCfh2Dr3tORYbFmCD0/P5G5RyLXpB1nHZQ3IPrnv8k52vnh06Ch361qTxyz59O34Or1nFQr28Ou9MjaeuItTtFBQHRhVya4/9XUUlASQbpDWpkbvNG0/TC/iOTR0lAW6A+CPs7lNN0LZ7fb", "Expiration": "2024-11-05T20:11:24.263516724Z" }, "SubjectFromWebIdentityToken": "755021a9-3580-4b9f-8243-cb15dbd4aaac", "AssumedRoleUser": { "Arn": "arn:aws:sts:::assumed-role/S3RoleOf.coryd.550/session1" }, "PackedPolicySize": 0, "Provider": "http://10.0.64.108:8180/realms/master", "Audience": "master-realm" } [cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ Version-Release number of selected component (if applicable): ceph version 19.2.0-52.el9cp How reproducible: always Steps to Reproduce: 1.create an OIDC provider with identity provider url and incorrect thumbprints 2.create a role, put role policy to the role. 3.create an user, add roles=* and oidc-provider=* capabilities to it. 4.try to perform sts aswi. the request is successful bypassing thumbprint verification Actual results: sts aswi request is successful bypassing thumbprint verification Expected results: expected sts aswi request fails if incorrect thumbprints are present in OIDC provider Additional info: