AWS IAM Identity Center Expiry

Published Tue, Dec 19th, 2023


AWS IAM Identity Center exchanges third-party OIDC tokens for Identity Center-issued tokens. Identity Center relies on the jti claim in the third-party tokens to prevent replay attacks. Identity Center maintained a cache of previously-seen jti values for a fixed period (24 hours) and didn’t enforce that the third-party tokens had expiry claims. This meant that a token with a jti claim and without an exp claim could be replayed after >24 hours had passed.

Affected Services

Identity Center


None required

Tracked CVEs

No tracked CVEs


Disclosure Date
Fri, Dec 1st, 2023
Exploitablity Period
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Aidan Steele