We are planning to use AWS WebIdentityFederation for a single page application.
I have created OIDC provider, which is an external ADFS and created a WebIdentityFederation assumed role. I am able to generate id_token through ADFS. In this id_token, I have added Role claim, which is AD Groups (I can change to AWS Role ARNs if needed) and then generate temporary STS tokens from AWS STS API.
However, it looks like, AWS WebIdentityFederation role doesn't validate any role claim inside id_token, like AWS does for SAML federation. This creates a authorization question, if an user have valid id_token, they can assume any WebIdentityFederation role.
For example: If I have two WebIdentityFederation roles READONLY and ADMIN, then an user with a valid id_token can assume READONLY and ADMIN both, even if in id_token user has READONLY role.
Is there any way to validate role or any other custom claims present in id_token? Can it be done through Trust Policy conditions?
