AM 7.5.0

ID token uses

ID tokens can also serve as session cookies and as policy subjects.

As session cookies

You can enable trusted client applications to use ID tokens as session cookies for calls to REST endpoints.

  • Clients must get the ID token with the authorization code grant flow.

  • Clients can use refresh tokens to get a new ID token, but the session lifetime still applies.

    When the session expires, even a valid ID token is no longer a valid session cookie. The end user must authenticate again to get a new session.

To enable trusted clients to use ID tokens as session cookies:

  1. In the AM admin UI, go to Realms > Realm Name > Services > OAuth2 Provider > Advanced OpenID Connect.

  2. In the Authorized OIDC SSO Clients field, add the client IDs for all trusted clients.

    These trusted clients act with the full authority of the end user.

  3. Ensure that Enable Session Management is enabled.

  4. Save your changes.

As policy subjects

An ID token can serve as a subject condition for policies validating the token’s claims. For example, a policy can validate that the token audience belongs to a specific group of applications by checking the aud claim to ensure it includes samplePolicySet.

Policy evaluation only validates the claims, not the ID token. Validate the ID token before making the policy evaluation request.

To configure a policy that validates claims, define a subject condition with the OpenID Connect/Jwt Claim type.


The following example shows a policy evaluation request with an ID token as a session cookie and as a subject.

The end user must have the Entitlement REST Access privilege to access the policies endpoint.

$ curl \
--request POST \
--header "Content-Type: application/json" \
--header "Accept-API-Version: protocol=1.0,resource=2.0" \
--header "iPlanetDirectoryPro: <id-token>" \
--data '{
  "resources": [""],
  "subject": {
    "ssoToken": "<id-token>"
  "application": "samplePolicySet"
}' \
Copyright © 2010-2024 ForgeRock, all rights reserved.