IDToken/OIDC feature unusable for private network deployments

[b1n9s]

Problem

I'm trying to use the IDToken feature for AWS IAM OIDC workload identity, but my Concourse deployment is in a private network (not publicly accessible).

The issue:

• Concourse generates tokens with iss claim = --external-url
• AWS IAM OIDC provider needs to fetch <issuer>/.well-known/jwks.json to verify tokens
• My private Concourse URL is not reachable from AWS
• Token verification fails

Current workaround:

• Mirror .well-known files to CloudFront + S3
• Use private Route53 hosted zones with VPC associations
• This is complex, requires cross-account setup, and is fragile

Question

Is there a recommended way to use IDToken with private Concourse deployments?

One idea I had: Allow configuring a separate --oidc-issuer-url (similar to Kubernetes' --service-account-issuer) so the OIDC discovery can be served from a
public URL while Concourse itself stays private. But I'm not sure if this approach makes sense for Concourse's architecture or if there's a better solution.

Would appreciate any guidance or suggestions!

[dbaumgarten]

Hi,

yeah, as of now for the idtoken feature to work properly it is neccessarry that your Concourse is publicly reachable.

Your propoesed solution might help a bit, but will result in issues during signing-key rotation.
Once concourse creates a new signing-key it will start to use it immediately. And until you sync the new key to you your S3 bucket, validation of issued tokens will fail.

You could completely disable the key-rotation, but from a security perspective that would be a very bad idea

[b1n9s]

Thank you very much for the comment and pointing it out. And also thank you very much for adding the idtoken feature!

You are correct that S3 sync would have this issue, but a real-time proxy (CloudFront/ Public ALB) can solve it instead of S3 mirroring. The proxy forwards /.well-known/* requests directly to the private Concourse instance, so there's no sync delay.

The --oidc-issuer-url flag is still needed because:

• Tokens have iss claim set to the private --external-url by default
• AWS IAM OIDC provider can't reach the private URL to fetch JWKS
• --oidc-issuer-url allows setting the iss claim to a public URL that AWS can reach
• The public URL (via proxy) serves the same (and only) JWKS from the private Concourse

This way, Concourse stays completely private while AWS can still verify tokens.

I'd appreciate more of your thoughts on this approach. I have a pull request ready for review if you have some time.

[dbaumgarten]

Yes, with a realtime proxy instead of a periodic sync that should work nicely.
I'll take a look at the PR

[b1n9s]

Implemented in this PR