How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I transform an AM session token to an OIDC token in AM (All versions) using REST STS?

Last updated Jan 16, 2023

The purpose of this article is to provide information on configuring a REST STS (Secure Token Service) instance in AM for transforming an AM session token to OpenID Connect (OIDC) token.

1 reader recommends this article


This article covers the following steps to configure the REST STS and then transform the session token to OIDC token:

  1. Create a REST STS instance
  2. Transform a session token to OIDC token

Creating a REST STS instance

You can create a REST STS instance as follows:

  1. Create a new REST STS instance in the AM admin UI by navigating to Realms > [Realm Name] > STS and clicking Add REST STS.
  2. Complete the configuration of the STS instance; you should specify the following settings (some of these settings are only available once you have created the instance):
    • Persist Issued Tokens in Core Token Store: leave this option unselected.
    • Deployment URL Element: a string that identifies the REST STS instance, for example: sts-oidc. This string is used in the REST STS instance's endpoint.
    • Supported Token Transforms: AM -> OPENIDCONNECT; don't invalidate interim AM session
    • The OpenID Connect Token Provider Issuer Id: the OpenID Connect agent name, which should also match the protocol://hostname:port/deploymentcontext, for example:
    • Token Signature Algorithm: an algorithm suitable for your deployment, for example HMAC SHA 256 (which is suitable for testing but not for production).
    • Client Secret: the client secret used as the HMAC key - this is mandatory for HMAC-signed tokens.
    • Issued Tokens Audience: oidc_client
    • The authorized party (optional): oidc_client
    • Claim Map: set if required, for example, email=mail
  3. Save this configuration. You do not need to restart the server if the Persist Issued Tokens in Core Token Store option is unselected.

Transforming a session token to OIDC token

To perform the transformation, you make a REST call to the following endpoint:


where [instance] is the name of the REST STS instance, including the realm in which it exists. For example: internal/sts-oidc.

Example using curl

The following example obtains an AM session token and then uses the REST STS instance (called sts-oidc in the internal realm) to transform that session token to an OIDC token:

  1. Authenticate your user to obtain the AM session token. For example: $ curl -X POST -H "X-OpenAM-Username: demo" -H "X-OpenAM-Password: changeit" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.1" Example response: { "tokenId": "AQIC5wM2LY4SfcxsuvGEjcsppDSFR8H8DYBSouTtz3m64PI.*AAJTSQACMDIAAlNLABQtNTQwMTU3NzgxODI0NzE3OTIwNAEwNDU2NjE0*", "successUrl": "/am/console", "realm": "/" }
  2. Transform the received session token to an OIDC token by making a REST call to the /rest-sts/internal/sts-oidc?_action=translate endpoint. For example: $ curl -X POST -H "Content-Type: application/json" -H "Cache-Control: no-cache" -d '{ "input_token_state": { "token_type": "AM", "session_id": "AQIC5wM2LY4Sfcxs...EwNDU2NjE0*"}, "output_token_state": { "token_type": "OPENIDCONNECT", "nonce": "12345678", "allow_access": true } }' ''Example OIDC token returned: { "issued_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJvaWRjX2NsaWVudCIsInN1YiI6ImRlbW8iLCJhenAiOiJvaWRjX2NsaWVudCIsImF1dGhfdGltZSI6MTUyMTYyNTM0MywiaXNzIjoiaHR0cDovL2VjMi0zNC0yMTQtMTY4LTIwLnVzLXdlc3QtMi5jb21wdXRlLmFtYXpvbmF3cy5jb206ODA4MC9vcGVuYW0vb2F1dGgyIiwiZXhwIjoxNTIxNjI1OTQzLCJpYXQiOjE1MjE2MjUzNDMsIm5vbmNlIjoiMTIzNDU2NzgiLCJqdGkiOiI5Mjc3N2Y0NS1mNzU2LTRkZmMtOTgyZi1iZmVlMDJhZTg5OTAiLCJlbWFpbCI6ImRlbW8hQGFiYy5jb20ifQ.hFLc4hK-rWxYVFGhaZU8c7ifXZM07uRMLQKIlgPVHII" }
  3. Decode this token. For example, you can use jq on the command line (you can install jq as outlined in Download jq):$ jq -R 'split(".") | .[1] | @base64d | fromjson' <<< <id_token>Example response showing it contains the following information:{ "aud":"oidc_client" "sub":"demo" "azp":"oidc_client" "auth_time":1521625343 "iss":"" "exp":1521625943 "iat":1521625343 "nonce":"12345678" "jti":"92777f45-f756-4dfc-982f-bfee02ae8990" "email":"demo!" }

See Also

Using the REST STS in AM

Security Token Service (STS)

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.