ID token uses
ID tokens can also serve as session cookies and as policy subjects.
As session cookies
You can enable trusted client applications to use ID tokens as session cookies for calls to REST endpoints.
-
Clients must get the ID token with the authorization code grant flow.
-
Clients can use refresh tokens to get a new ID token, but the session lifetime still applies.
When the session expires, even a valid ID token is no longer a valid session cookie. The end user must authenticate again to get a new session.
To enable trusted clients to use ID tokens as session cookies:
-
Under Native Consoles > Access Management, go to Realms > Realm Name > Services > OAuth2 Provider > Advanced OpenID Connect.
-
In the Authorized OIDC SSO Clients field, add the client IDs for all trusted clients.
These trusted clients act with the full authority of the end user.
-
Save your changes.
As policy subjects
An ID token can serve as a subject condition for policies validating the token’s claims.
For example, a policy can validate that the token audience belongs to a specific group of applications
by checking the aud
claim to ensure it includes samplePolicySet
.
Policy evaluation only validates the claims, not the ID token. Validate the ID token before making the policy evaluation request.
To configure a policy that validates claims, define a subject condition with the OpenID Connect/Jwt Claim type.
Example
The following example shows a policy evaluation request with an ID token as a session cookie and as a subject:
$ curl \
--request POST \
--header "Content-Type: application/json" \
--header "Accept-API-Version: protocol=1.0,resource=2.0" \
--header "<session-cookie-name>: <id-token>" \
--data '{
"resources": ["https://www.example.com:8443/index.html"],
"subject": {
"ssoToken": "<id-token>"
},
"application": "samplePolicySet"
}' \
"https://<tenant-env-fqdn>/am/json/realms/root/realms/alpha/policies?_action=evaluate"