Skip to content
DOCS
User Guide API Guide

Create an OIDC ID Token Credential Provider

The OIDC ID Token Credential Provider enables secure identity token generation and exchange with third-party services.

You can configure the following options for your OIDC ID Token Credential Provider:

  • custom claims configuration.
  • flexible signing algorithms (ES256 and RS256).
  • support for Workload Identity Federation (WIF) solutions such as AWS Security Token Service (STS), Google Cloud Platform (GCP) WIF, Azure WIF, Vault, and more.

Create an OIDC ID Token Credential Provider

Section titled “Create an OIDC ID Token Credential Provider”

To create an OIDC ID Token Credential Provider, follow these steps:

  1. Log into your Aembit Tenant, and go to Credential Providers in the left sidebar.

  2. (Optional) In the top right corner, select the Resource Set that you want this Credential Provider to reside.

  3. Click + New, which displays the Credential Provider pop out menu.

  4. Enter a Name and optional Description.

  5. Under Credential Type, select OIDC ID Token, revealing more fields.

  6. Fill out the remaining fields:

    • Subject - Enter the unique identifier for the workload receiving the token.

      Choose how Aembit determines the subject claim in your OIDC tokens:

      • Dynamic: Aembit determines the subject at runtime based on the calling workload’s identity
      • Literal: Aembit uses a fixed value that as the subject for all tokens

    • Issuer - The issuer URL identifies who created and signed the token.

      This value should match what your relying party expects. Aembit automatically generates this value based on your tenant information.

    • Lifetime - Specify how long (in seconds) your OIDC tokens remain valid after issuance. Match your security requirements and target system expectations:

      • Shorter lifetimes (minutes to hours) increase security
      • Longer lifetimes reduce token refresh frequency

    • Signing Algorithm Type - Select the algorithm Aembit uses to sign your OIDC tokens:

      • RSASSA-PKCS1-v1_5 using SHA-256 (default) - RS256 Signature with SHA-256 (widely supported)
      • ECDSA using P-256 and SHA-256 - ES256 signature with P-256 curve and SHA-256

    • Audience - Enter the URI or identifier of the service or API that validates this token. This should match what your target identity broker or service expects.

  7. (Optional) For Custom Claims, click New Claim.

    For a list of common custom claims, see Common OIDC claims.

    Then fill out the following:

    1. Enter Claim Name (for example: groups, email, role, environment).

    2. For Value enter the value based on which type you choose:

      • Literal: Enter the exact string value to include in the token
      • Dynamic: Enter an expression or select from available context variables

  8. (Optional) Repeat the preceding step for each additional Claim.

    Completed OIDC ID Token Credential Provider example

  9. Click Save.

Verify your OIDC ID Token Credential Provider

Section titled “Verify your OIDC ID Token Credential Provider”

To verify an OIDC ID Token is retrievable from the identity provider you configured, follow these steps:

  1. In your Aembit Tenant, go to Credential Providers in the left sidebar menu.

  2. Select the OIDC ID Token from the list of Credential Providers that you want to verify.

    This reveals the Credential Provider pop out window.

  3. Click Verify at the top.

    Verify OIDC ID Token Credential Provider

  4. When successful, Aembit posts a green notification that says “Verified successfully.”

    If the verification isn’t successful, double check your configuration to make sure all the values are correct, then try again.

Terraform configuration

Section titled “Terraform configuration”

You can automate the creation and management of your OIDC ID Token Credential Provider using Terraform.

The following is an example

resource "aembit_credential_provider" "<oidc_id_token>" {
  name      = "Example OIDC ID Token"
  is_active = true


  oidc_id_token = {
    subject             = "example-subject"
    subject_type        = "literal"       # Options: "literal" or "dynamic"
    lifetime_in_minutes = 60
    audience            = "api.example.com"
    algorithm_type      = "RS256"         # Options: "RS256", "ES256"


    custom_claims = [
      {
        key        = "department"
        value      = "engineering"
        value_type = "literal"
      },
      {
        key        = "role"
        value      = "developer"
        value_type = "dynamic"
      }
    ]
  }


  tags = {
    environment = "production"
    team        = "platform"
  }
}

To create an OIDC ID Token Credential Provider with Terraform, follow these steps:

  1. Create a Terraform file (for example, oidc_provider.tf) with your configuration

  2. Initialize the Terraform environment:

    Terminal window
    terraform init

  3. Review the planned changes:

    Terminal window
    terraform plan

  4. Apply the configuration:

    Terminal window
    terraform apply

  5. Verify the newly created Credential Provider in the Aembit Tenant UI.