AWS and the OIDC provider don't have a trust relationship yet.
AWS doesn't recognize tokens issued by this OIDC provider. Any authentication attempts would be rejected.
Imagine a fancy restaurant (AWS) that only accepts members with valid membership cards. A new membership club (OIDC provider) has opened nearby, but the restaurant doesn't recognize their membership cards yet.
AWS and the OIDC provider exchange necessary public information.
The OIDC provider shares its issuer URL and public signing keys. AWS shares its client ID and redirect URIs.
The restaurant and membership club exchange information. The club shares what their membership cards look like and their security features. The restaurant shares which privileges members would receive.
AWS configures the OIDC provider as a trusted identity provider.
AWS creates an IAM Identity Provider resource with the OIDC issuer URL and client ID thumbprint. It defines which token claims to use for identity mapping.
The restaurant adds the new club to their 'recognized memberships' list. They decide which features on the card they'll check (photo, hologram, expiration date) and which membership levels get which privileges.
AWS defines what authenticated users from this provider can access.
AWS creates IAM roles with trust policies that specify which authenticated users from the OIDC provider can assume the role, and what permissions those roles have.
The restaurant creates specific benefits for the new club members: Gold members get access to private dining rooms, Silver members get priority seating, etc. These rules are written down and given to all staff.
Users can now authenticate via the OIDC provider to access AWS resources.
Users authenticate with the OIDC provider, receive a token, and present it to AWS. AWS validates the token with the provider's public keys and grants access based on the token claims.
Now when club members visit the restaurant, they show their membership card. The staff recognizes the card, verifies it's authentic, checks the member's level, and provides the appropriate benefits.
The trust relationship is now established. AWS will accept identity tokens from the OIDC provider, verify them, and grant access based on the token claims and defined IAM roles.
This completes the "trust establishment" phase. Now users can authenticate with the OIDC provider and use their identity to access AWS resources.