Additional Use Cases for ID Tokens

In addition to using the ID tokens in OpenID Connect flows, AM supports using ID tokens in place of session tokens when calling REST endpoints and using ID tokens in policy evaluation.

Using ID Tokens as Session Tokens

You can authorize trusted clients to use ID tokens as the value of the iPlanetDirectoryPro cookie. This is useful when clients need to make calls to AM endpoints, such as the authorization endpoints, without requesting the end user to log in again.

The ID token must be issued using the Authorization Code Grant flow.

To Configure the OAuth 2.0 Service for Authorized Clients

Perform the following steps to let clients use ID tokens in the place of session tokens:

  1. Go to Realms > Realm Name > Services > OAuth2 Provider > Advanced OpenID Connect.

  2. Add the names to the clients that will be able to use ID tokens in place of session tokens in the Authorized OIDC SSO Clients field.

    Since these clients will act with the full authority of the end user, grant this permission to trusted clients only.

  3. Ensure that Save Ops Token is enabled.

  4. Save your changes.

The following is an example of a call to the policies endpoint using an ID token instead of a session token: 

$ curl \
--request POST \
--header "Content-Type: application/json" \
--header "Accept-API-Version: protocol=1.0,resource=2.0" \
--header "iPlanetDirectoryPro: ID_TOKEN_VALUE" \
--data '{
   "resources":[
      "https://www.france-site.com:8443/index.html"
   ],
   "subject":{
      "ssoToken": "ID_TOKEN_VALUE"
   },
   "application":"iPlanetAMWebAgentService"
}' \
"https://openam.example.com:8443/openam/json/realms/root/policies?_action=evaluate"

Note

To access the policies endpoint, a user must have the Entitlement REST Access privilege.

Using ID Tokens as Subjects in Policy Decision

You can use the ID token as a subject condition during policy evaluation to validate claims within an ID token.

For example, you can validate that the aud claim has a value of myApplication, which identifies a particular application or group of applications within your environment.

Note that policy evaluation does not validate the ID token, but the claims within. Your applications should validate the ID token before requesting policy evaluation from AM.

For more information about configuring policy evaluation using the OpenID Connect/JWT Claim type, refer to "To Configure a Policy (console)".

Read a different version of :