Trusted identity propagation overview - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Trusted identity propagation overview

With trusted identity propagation, user access to Amazon resources can be more easily defined, granted, and logged. Trusted identity propagation is built on the OAuth 2.0 Authorization Framework, which allows applications to access and share user data securely without sharing passwords. OAuth 2.0 provides secure delegated access to application resources. Access is delegated because the resource administrator approves, or delegates the application that the user signs in to, to access the other application.

To avoid sharing user passwords, trusted identity propagation uses tokens. Tokens provide a standard way for a trusted application to claim who the user is and what requests are permitted between two applications. Amazon managed applications that integrate with trusted identity propagation obtain tokens from IAM Identity Center directly. IAM Identity Center also provides an option for applications to exchange identity tokens and access tokens that come from an external OAuth 2.0 authorization server. This makes it possible for an application to authenticate and obtain tokens outside of Amazon, exchange the token for an IAM Identity Center token, and use the new token to make requests to Amazon services. For more information, see Using applications with a trusted token issuer.

The OAuth 2.0 process starts when a user signs in to an application. The application that the user signs in to initiates a request to access the other application's resources. The initiating (requesting) application can access the receiving application on behalf of the user by requesting a token from the authorization server. The authorization server returns the token, and the initiating application passes that token, with a request for access, to the receiving application.