AM 7.5.0

OpenID provider configuration

You can configure the AM OAuth 2.0 provider service to act as an OpenID provider (OP).

OIDC-specific configuration

  • To set the OAuth 2.0 provider configuration in the AM admin UI, go to Realms > Realm Name > Services > OAuth2 Provider.

  • To adjust global defaults, in the AM admin UI, go to Configure > Global Services > OAuth2 Provider.

See the OAuth2 provider reference section for details on each configuration property.

OIDC configuration options
Task Resources

Configure the public keys for the provider

OPs sign ID tokens so that clients can ensure their authenticity. AM exposes the URI where clients can check the signing public keys to verify the ID token signatures.

By default, AM exposes an endpoint with keys, but you can configure the URI of your secrets API instead.

Enable the OpenID Connect Discovery endpoint

The discovery endpoint is disabled by default when you configure the OAuth 2.0 provider service. Enable the endpoint if your clients need to discover the URL of the provider for a given user.

Configure pairwise subject types for dynamic registration

To provide different values to the sub claim in the ID token for different clients (see Subject Identifier Types), make sure that the Subject Types supported property on the Advanced tab of the OAuth 2.0 provider configuration includes pairwise. This is the default.

Also, change the default value of the Subject Identifier Hash Salt field on the same tab.

If you specify a pairwise subject type, also refer to Sector Identifier URI in the client configuration.


Specify whether AM should return scope-derived claims in the ID token

Scope-derived claims, such as those returned when requesting the profile scope, aren’t returned in the ID token by default.

Configure how AM maps scopes to claims and user profile attributes

Use scripts to map different user profile attributes to claims and scopes.

Configure the OP for dynamic client registration and management

AM supports several methods of dynamic client registration.

You can also register the clients manually.

Add authentication requirements to ID tokens

Require end users to satisfy specific authentication rules or conditions when authenticating to the OP, such as using a specific authentication tree.

Configure AM for GSMA Mobile Connect

Configure the OAuth 2.0 authorization server to act as a Mobile Connect provider.

Configure the secret AM uses to sign ID tokens and logout tokens

ID tokens and backchannel logout tokens are always signed. By default, AM uses a test secret to sign them; change it in production environments.

Configure the OP to encrypt ID tokens and logout tokens

By default, ID tokens and backchannel logout tokens are signed. If these tokens carry sensitive information about your end users, consider encrypting them.

Configure the methods and algorithms available for signed or encrypted JWTs in the request parameter

If your clients send request parameters to the authorization endpoint as a JWT instead of as HTTP parameters, configure the Request Parameter* fields on the Advanced OpenID Connect tab.

Note that the alias mapped to the encryption algorithms are defined in the secret stores.

Copyright © 2010-2024 ForgeRock, all rights reserved.