AWS's OIDC Identity Provider integration helps to integrate external identity providers to authenticate for AWS resources. Likely due to the sensitivity of the functionality, they require to pin the login domain certificate of the upstream identity provider. See this link here for more details.

This tool helps to avoid service distribution by updating the AWS configuration for the certificate thumbprint if the login domain certificate changes. This is useful especially if you don't have control for the login domain certificate rotation. For E.g. if you are using identity as a service solution (IaaS) like Auth0, Okta, Azure you likely have less control for the domain certificates.

As a simple solution, the solution here spins up a Lambda function that runs every X minutes configured with RUN_LAMBDA_EVERY_X_MIN env variable to check the certificate changes on the login domain and updates the thumbprint on AWS if needed.

Event notifications are sent to AWS CloudWatch. Optionally, you can also send them to Slack with Incoming Webhooks integration.

By using this tool you are working-around a security feature. Though it may not be very common to pin the login domain certificate, you are accepting the associated risks. Please check with your identity vendor first to see if they can provide a better solution.

Configure the env variables, by copying the template as .env.yml and fill the necessary variables.

mv .env.yml.sample .env.yml

yarn

serverless deploy

serverless remove