Access Management 7.2.2

Additional use cases for ID tokens

In addition to using the ID tokens in OpenID Connect flows, AM supports using ID tokens in place of session tokens when calling REST endpoints and using ID tokens in policy evaluation.

ID tokens as session tokens

You can authorize trusted clients to use ID tokens as the value of the iPlanetDirectoryPro cookie. This is useful when clients need to make calls to AM endpoints, such as the authorization endpoints, without requesting the end user to log in again.

The ID token must be issued using the authorization code grant flow.

Configure the OAuth 2.0 service for authorized clients

Follow these steps to let clients use ID tokens instead of session tokens:

  1. In the AM admin UI, go to Realms > Realm Name > Services > OAuth2 Provider > Advanced OpenID Connect.

  2. In the Authorized OIDC SSO Clients field, add the name of each client that will be able to use ID tokens in place of session tokens.

    Because these clients will act with the full authority of the end user, grant this permission to trusted clients only.

  3. Ensure that Enable Session Management is enabled.

  4. Save your changes.

Although the lifetime of the ID token can be extended using refresh tokens, the maximum lifetime is still determined by the session lifetime. If the session expires, the ID token is rejected by AM, even if the token itself is still valid.

The following is an example of a call to the policies endpoint using an ID token instead of a session token:

$ curl \
--request POST \
--header "Content-Type: application/json" \
--header "Accept-API-Version: protocol=1.0,resource=2.0" \
--header "iPlanetDirectoryPro: ID_TOKEN_VALUE" \
--data '{
   "resources":[
      "https://www.france-site.com:8443/index.html"
   ],
   "subject":{
      "ssoToken": "ID_TOKEN_VALUE"
   },
   "application":"iPlanetAMWebAgentService"
}' \
"https://openam.example.com:8443/openam/json/realms/root/realms/alpha/policies?_action=evaluate"
To access the policies endpoint, a user must have the Entitlement REST Access privilege.

ID tokens as subjects in policy evaluation

You can use the ID token as a subject condition during policy evaluation to validate claims within an ID token.

For example, you can validate that the aud claim has a value of myApplication, which identifies a particular application or group of applications within your environment.

Note that policy evaluation does not validate the ID token, but the claims within. Your applications should validate the ID token before requesting policy evaluation from AM.

For information about configuring policy evaluation using the OpenID Connect/JWT Claim condition, refer to Policies in the UI.

Copyright © 2010-2024 ForgeRock, all rights reserved.