Identity Cloud

OpenID provider configuration

You can configure AM’s OAuth 2.0 provider service to double as an OpenID provider service.

To configure the OAuth 2.0 provider, follow the steps in Configure the OAuth 2.0 provider service. When you are finished, refer to Additional configuration for OpenID Connect-specific configuration.

Additional configuration

The OpenID provider is highly configurable:

  • To access the OAuth 2.0 provider configuration in the AM admin UI, go to Realms > Realm Name > Services > OAuth2 Provider.

See the OAuth2 Provider reference section for details on each of the fields in the provider.

Table 1. OpenID Connect Configuration Options
Task Resources

Configure the public keys for the provider

OpenID providers sign ID tokens so that clients can ensure their authenticity. AM exposes the URI where clients can check the signing public keys to verify the ID token signatures.

By default, AM exposes an internal endpoint with keys, but you can configure the URI of your secrets API instead.

/oauth2/connect/jwk_uri

Enable the OpenID Connect Discovery endpoint

The discovery endpoint is disabled by default when you configure the OAuth 2.0 provider. Enable the endpoint if your clients need to discover the URL of the provider for a given user.

OpenID Connect Discovery

Configure pairwise subject types for dynamic registration

To provide different values to the sub claim in the ID token for different clients (see Subject Identifier Types), configure the Subject Types Supported map.

Also, ensure that the value of the Subject Identifier Hash Salt field is different from changeme.

N/A

Configure whether AM must return scope-derived claims in the ID token

Scope-derived claims, such as those returned when requesting the profile scope, are not returned in the ID token by default.

Claims

Configure how AM maps scopes to claims and user profile attributes

AM lets you map different user profile attributes to claims and scopes by using the AM scripting engine.

Claims

Configure the OpenID provider for discovery and dynamic client registration/management

AM supports several methods of dynamic registration that offer different security measures.

You can also register the clients manually.

OpenID Connect Discovery

Add authentication requirements to ID tokens

Require the end users to satisfy different authentication rules or conditions when authenticating to the OpenID provider, such as using a specific authentication tree.

Add authentication requirements to ID tokens

Configure AM as part of a GSMA Mobile Connect deployment

Configure the OAuth 2.0 authorization server to double as a Mobile Connect provider.

Configure AM for Mobile Connect

Configure the OpenID provider to encrypt ID tokens and logout tokens

ID tokens and backchannel logout tokens are only signed by default. Consider encryption to protect them if they carry sensitive information about your end users.

Encrypt ID tokens and backchannel logout tokens
Copyright © 2010-2022 ForgeRock, all rights reserved.