How do I transform an AM session token to an OIDC token in AM (All versions) using REST STS?
The purpose of this article is to provide information on configuring a REST STS (Secure Token Service) instance in AM for transforming an AM session token to OpenID Connect (OIDC) token.
1 reader recommends this article
Overview
This article covers the following steps to configure the REST STS and then transform the session token to OIDC token:
Creating a REST STS instance
You can create a REST STS instance as follows:
- Create a new REST STS instance in the AM admin UI by navigating to Realms > [Realm Name] > STS and clicking Add REST STS.
- Complete the configuration of the STS instance; you should specify the following settings (some of these settings are only available once you have created the instance):
- Persist Issued Tokens in Core Token Store: leave this option unselected.
- Deployment URL Element: a string that identifies the REST STS instance, for example: sts-oidc. This string is used in the REST STS instance's endpoint.
- Supported Token Transforms: AM -> OPENIDCONNECT; don't invalidate interim AM session
- The OpenID Connect Token Provider Issuer Id: the OpenID Connect agent name, which should also match the protocol://hostname:port/deploymentcontext, for example: https://am.example.com:8443/am/oauth2
- Token Signature Algorithm: an algorithm suitable for your deployment, for example HMAC SHA 256 (which is suitable for testing but not for production).
- Client Secret: the client secret used as the HMAC key - this is mandatory for HMAC-signed tokens.
- Issued Tokens Audience: oidc_client
- The authorized party (optional): oidc_client
- Claim Map: set if required, for example, email=mail
- Save this configuration. You do not need to restart the server if the Persist Issued Tokens in Core Token Store option is unselected.
Transforming a session token to OIDC token
To perform the transformation, you make a REST call to the following endpoint:
/rest-sts/[instance]?_action=translatewhere [instance] is the name of the REST STS instance, including the realm in which it exists. For example: internal/sts-oidc.
Example using curl
The following example obtains an AM session token and then uses the REST STS instance (called sts-oidc in the internal realm) to transform that session token to an OIDC token:
- Authenticate your user to obtain the AM session token. For example: $ curl -X POST -H "X-OpenAM-Username: demo" -H "X-OpenAM-Password: changeit" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.1" https://am.example.com:8443/am/json/realms/root/authenticate Example response: { "tokenId": "AQIC5wM2LY4SfcxsuvGEjcsppDSFR8H8DYBSouTtz3m64PI.*AAJTSQACMDIAAlNLABQtNTQwMTU3NzgxODI0NzE3OTIwNAEwNDU2NjE0*", "successUrl": "/am/console", "realm": "/" }
- Transform the received session token to an OIDC token by making a REST call to the /rest-sts/internal/sts-oidc?_action=translate endpoint. For example: $ curl -X POST -H "Content-Type: application/json" -H "Cache-Control: no-cache" -d '{ "input_token_state": { "token_type": "AM", "session_id": "AQIC5wM2LY4Sfcxs...EwNDU2NjE0*"}, "output_token_state": { "token_type": "OPENIDCONNECT", "nonce": "12345678", "allow_access": true } }' 'https://am.example.com:8443/am/rest-sts/internal/sts-oidc?_action=translate'Example OIDC token returned: { "issued_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJvaWRjX2NsaWVudCIsInN1YiI6ImRlbW8iLCJhenAiOiJvaWRjX2NsaWVudCIsImF1dGhfdGltZSI6MTUyMTYyNTM0MywiaXNzIjoiaHR0cDovL2VjMi0zNC0yMTQtMTY4LTIwLnVzLXdlc3QtMi5jb21wdXRlLmFtYXpvbmF3cy5jb206ODA4MC9vcGVuYW0vb2F1dGgyIiwiZXhwIjoxNTIxNjI1OTQzLCJpYXQiOjE1MjE2MjUzNDMsIm5vbmNlIjoiMTIzNDU2NzgiLCJqdGkiOiI5Mjc3N2Y0NS1mNzU2LTRkZmMtOTgyZi1iZmVlMDJhZTg5OTAiLCJlbWFpbCI6ImRlbW8hQGFiYy5jb20ifQ.hFLc4hK-rWxYVFGhaZU8c7ifXZM07uRMLQKIlgPVHII" }
- Decode this token. For example, you can use jq on the command line (you can install jq as outlined in Download jq):$ jq -R 'split(".") | .[1] | @base64d | fromjson' <<< <id_token>Example response showing it contains the following information:{ "aud":"oidc_client" "sub":"demo" "azp":"oidc_client" "auth_time":1521625343 "iss":"https://ec2-34-214-168-20.us-west-2.compute.amazonaws.com:8443/am/oauth2" "exp":1521625943 "iat":1521625343 "nonce":"12345678" "jti":"92777f45-f756-4dfc-982f-bfee02ae8990" "email":"demo!@abc.com" }
See Also
Related Training
N/A
Related Issue Tracker IDs
N/A