AWS code-library high security documentation change
Summary
Added clarification about including multiple thumbprints when OIDC provider's discovery and JWKS endpoints use different certificates
Security assessment
This change addresses a security-critical configuration gap where using different certificates for discovery and JWKS endpoints could lead to trust validation failures. Without both thumbprints, token verification might fail or allow improperly validated tokens, creating authentication vulnerabilities.
Diff
diff --git a/code-library/latest/ug/iam_example_iam_UpdateOpenIdConnectProviderThumbprint_section.md b/code-library/latest/ug/iam_example_iam_UpdateOpenIdConnectProviderThumbprint_section.md index 656570ee7..80ea291c4 100644 --- a//code-library/latest/ug/iam_example_iam_UpdateOpenIdConnectProviderThumbprint_section.md +++ b//code-library/latest/ug/iam_example_iam_UpdateOpenIdConnectProviderThumbprint_section.md @@ -28,0 +29,2 @@ This example updates the certificate thumbprint list for the OIDC provider whose +If your OIDC provider's discovery and JWKS endpoints use different certificates, include thumbprints for both endpoints in the `--thumbprint-list` value. +