How to generate a JWT at userlogin in Okta portal using Okta as OIDC provider. I want to assume an AWS role using this JWT

I want to achieve my solution only using Okta as OIDC provider and don’t want to use Okta + AWS Cognito.

My identities are in Okta and I want to generate JWT at userlogon in Okta. I will then use this JWT to assume a role in AWS as mentioned in doc here and return STS creds using API call here.
Please let me know how can I achieve this. Please provide your response in a simple way with example as I am new to Okta and Identity world. Please feel free to correct me if I am missing something conceptually.

P.S: I am passing this JWT token in a POST request to APIGW which then passes it to Lambda. I am doing some stuff with Lambda with this JWT token. Right now I am using Okta + AWS Cognito. But want to get rid of Cognito unless necessary.

I want below Solution Workflow:

  1. User logs in to Okta portal using userid and password and gets authenticated. Identities in Okta re from multiple identity sources.
  2. JWT token is generated after logon.
  3. Capture JWT Token and pass it to Lambda using by calling an API in APIGW using POST API call
  4. Run this call in Lambda to return STS creds in response. While running the call apply in session policy to scope down level of permissions depending on attributes passed in JWT token. The scope down policy is created in lambda based on dynamic attributes in JWT Token.
  5. Scoped down temp creds are used by user to perform the action.

I am creating dynamic policies as this is a SAAS product and end users(vendors/finance users etc) will need temporary access depending on their role.

Currently, I am using Congnito in middle as per link but want to get rid of Cognito.

Here how to do client flow credential:

You will need to recreate a new JWT token in your API…

Build a JWT for Client Authentication | Okta Developer the code is only in Java or JS but at least we can see what we need.

I want to have the same flow as your… but i also stuck.

my problem : How to lock down an API token to only access what our application needs - #12 by andrea