Recalculate token id instead of validating it.

authority/provisioner/aws.go

@@ -284,7 +284,11 @@ func (p *AWS) GetTokenID(token string) (string, error) {
 		sum := sha256.Sum256([]byte(token))
 		return strings.ToLower(hex.EncodeToString(sum[:])), nil
 	}
-	return payload.ID, nil
+
+	// Use provisioner + instance-id as the identifier.
+	unique := fmt.Sprintf("%s.%s", p.GetID(), payload.document.InstanceID)
+	sum := sha256.Sum256([]byte(unique))
+	return strings.ToLower(hex.EncodeToString(sum[:])), nil
 }
 
 // GetName returns the name of the provisioner.
@@ -631,13 +635,6 @@ func (p *AWS) authorizeToken(token string) (*awsPayload, error) {
 		return nil, errs.Unauthorized("aws.authorizeToken; aws identity document region cannot be empty")
 	}
 
-	// Recalculate and validate payload.ID
-	unique := fmt.Sprintf("%s.%s", p.GetID(), doc.InstanceID)
-	sum := sha256.Sum256([]byte(unique))
-	if payload.ID != strings.ToLower(hex.EncodeToString(sum[:])) {
-		return nil, errs.Unauthorized("aws.authorizeToken; invalid token id")
-	}
-
 	// According to "rfc7519 JSON Web Token" acceptable skew should be no
 	// more than a few minutes.
 	now := time.Now().UTC()

authority/provisioner/aws_test.go

@@ -470,22 +470,6 @@ func TestAWS_authorizeToken(t *testing.T) {
 				err:   errors.New("aws.authorizeToken; aws identity document pendingTime is too old"),
 			}
 		},
-		"fail/payloadId": func(t *testing.T) test {
-			p, err := generateAWS()
-			assert.FatalError(t, err)
-			p2, err := generateAWS()
-			assert.FatalError(t, err)
-			tok, err := generateAWSToken(
-				p2, "instance-id", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
-				"127.0.0.1", "us-west-1", time.Now(), key)
-			assert.FatalError(t, err)
-			return test{
-				p:     p,
-				token: tok,
-				code:  http.StatusUnauthorized,
-				err:   errors.New("aws.authorizeToken; invalid token id"),
-			}
-		},
 		"ok": func(t *testing.T) test {
 			p, err := generateAWS()
 			assert.FatalError(t, err)