OpenID Provider Configuration
You can configure AM's OAuth 2.0 provider service to double as an OpenID provider service.
To configure the OAuth 2.0 provider, follow the steps in "To Configure the OAuth 2.0 Provider Service". When you are finished, see "Additional Configuration" for OpenID Connect-specific configuration.
The OpenID provider is highly configurable:
To access the OAuth 2.0 provider configuration in the AM console, go to Realms > Realm Name > Services, and then select OAuth2 Provider.
To adjust global defaults, in the AM console, go to Configure > Global Services, and then click OAuth2 Provider.
See the "OAuth2 Provider" reference section for details on each of the fields in the provider.
Configure the public keys for the provider
OpenID providers sign ID tokens so that clients can ensure their authenticity. AM exposes the URI where clients can check the signing public keys to verify the ID token signatures.
By default, AM exposes an internal endpoint with keys, but you can configure the URI of your secrets API instead.
Enable the OpenID Connect Discovery endpoint
The discovery endpoint is disabled by default when you configure the OAuth 2.0 provider. Enable the endpoint if your clients need to discover the URL of the provider for a given user.
|"OpenID Connect Discovery"|
Configure pairwise subject types for dynamic registration
To provide different values to the
Also, ensure that the value of the Subject Identifier Hash Salt field is different from
Configure whether AM must return scope-derived claims in the ID token
Scope-derived claims, such as those returned when requesting the
Configure how AM maps scopes to claims and user profile attributes
AM lets you map different user profile attributes to claims and scopes by using the AM scripting engine.
Configure the OpenID provider for discovery and dynamic client registration/management
AM supports several methods of dynamic registration that offer different security measures.
You can also register the clients manually.
|"OpenID Connect Discovery"|
Add authentication requirements to ID tokens
Require the end users to satisfy different authentication rules or conditions when authenticating to the OpenID provider, such as using a specific authentication tree.
|Adding Authentication Requirements to ID Tokens|
Configure AM as part of a GSMA Mobile Connect deployment
Configure the OAuth 2.0 authorization server to double as a Mobile Connect provider.
|"To Configure AM for Mobile Connect"|
Configure the secret AM uses to sign ID tokens and logout tokens
ID tokens and backchannel logout tokens are always signed. By default, AM uses a test secret to sign them; change it in production environments.
|Secret ID Mappings for Signing OpenID Connect Tokens|
Configure the OpenID provider to encrypt ID tokens and logout tokens
ID tokens and backchannel logout tokens are only signed by default. Consider encryption to protect them if they carry sensitive information about your end users.
|"Encrypting ID Tokens and Backchannel Logout Tokens"|
Configure the methods and algorithms available for signed or encrypted JWTs in the
If your clients send request parameters to the authorization endpoint as a JWT instead of as HTTP parameters, configure the Request parameter signing algorithm field in the OpenID provider.
Note that the alias mapped to the encryption algorithms are defined in the secret stores.
|Secret ID Mappings for Decrypting OpenID Connect Request Parameters|