How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I transform an AM session token to an OIDC token in AM (All versions) using REST STS?

Last updated Feb 24, 2021

The purpose of this article is to provide information on configuring a REST STS (Secure Token Service) instance in AM for transforming an AM session token to OpenID Connect (OIDC) token.


1 reader recommends this article

Overview

This article covers the following steps to configure the REST STS and then transform the session token to OIDC token:

  1. Create a REST STS instance
  2. Transform a session token to OIDC token

Creating a REST STS instance

You can create a REST STS instance as follows:

  1. Create a new REST STS instance using the console:
    • AM 6 and later console: navigate to Realms > [Realm Name] > STS and click Add REST STS.
    • Pre-AM 6 console: navigate to Realms > [Realm Name] > STS > Rest STS Instances and click Add.
  2. Complete the configuration of the STS instance; you should specify the following settings (in AM 6 and later, some of these settings are only available once you have created the instance):
    • Persist Issued Tokens in Core Token Store: leave this option unselected.
    • Deployment URL Element: a string that identifies the REST STS instance, for example: sts-oidc. This string is used in the REST STS instance's endpoint.
    • Supported Token Transforms: OPENAM -> OPENIDCONNECT; don't invalidate interim OpenAM session
    • The OpenID Connect Token Provider Issuer Id: the OpenID Connect agent name, which should also match the protocol://hostname:port/deploymentcontext, for example: http://host1.example.com:8080/openam/oauth2
    • Token Signature Algorithm: an algorithm suitable for your deployment, for example HMAC SHA 256 (which is suitable for testing but not for production).
    • Client Secret: the client secret used as the HMAC key - this is mandatory for HMAC-signed tokens.
    • Issued Tokens Audience: oidc_client
    • The authorized party (optional): oidc_client
    • Claim Map: set if required, for example, email=mail
  3. Save this configuration. You do not need to restart the server if the Persist Issued Tokens in Core Token Store option is unselected.

Transforming a session token to OIDC token

To perform the transformation, you make a REST call to the following endpoint:

/rest-sts/[instance]?_action=translate

where [instance] is the name of the REST STS instance, including the realm in which it exists. For example: internal/sts-oidc.

Example using curl

The following example obtains an AM session token and then uses the REST STS instance (called sts-oidc in the internal realm) to transform that session token to an OIDC token:

  1. Authenticate your user to obtain the AM session token. For example: $ curl -X POST -H "X-OpenAM-Username: demo" -H "X-OpenAM-Password: changeit" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.1" http://host1.example.com:8080/openam/json/realms/root/authenticate Example response: { "tokenId": "AQIC5wM2LY4SfcxsuvGEjcsppDSFR8H8DYBSouTtz3m64PI.*AAJTSQACMDIAAlNLABQtNTQwMTU3NzgxODI0NzE3OTIwNAEwNDU2NjE0*", "successUrl": "/openam/console", "realm": "/" }
  2. Transform the received session token to an OIDC token by making a REST call to the /rest-sts/internal/sts-oidc?_action=translate endpoint. For example: $ curl -X POST -H "Content-Type: application/json" -H "Cache-Control: no-cache" -d '{ "input_token_state": { "token_type": "OPENAM", "session_id": "AQIC5wM2LY4Sfcxs...EwNDU2NjE0*"}, "output_token_state": { "token_type": "OPENIDCONNECT", "nonce": "12345678", "allow_access": true } }' 'http://host1.example.com:8080/openam/rest-sts/internal/sts-oidc?_action=translate' Example OIDC token returned: { "issued_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJvaWRjX2NsaWVudCIsInN1YiI6ImRlbW8iLCJhenAiOiJvaWRjX2NsaWVudCIsImF1dGhfdGltZSI6MTUyMTYyNTM0MywiaXNzIjoiaHR0cDovL2VjMi0zNC0yMTQtMTY4LTIwLnVzLXdlc3QtMi5jb21wdXRlLmFtYXpvbmF3cy5jb206ODA4MC9vcGVuYW0vb2F1dGgyIiwiZXhwIjoxNTIxNjI1OTQzLCJpYXQiOjE1MjE2MjUzNDMsIm5vbmNlIjoiMTIzNDU2NzgiLCJqdGkiOiI5Mjc3N2Y0NS1mNzU2LTRkZmMtOTgyZi1iZmVlMDJhZTg5OTAiLCJlbWFpbCI6ImRlbW8hQGFiYy5jb20ifQ.hFLc4hK-rWxYVFGhaZU8c7ifXZM07uRMLQKIlgPVHII" }

You can decode this token (for example, using https://jwt.davetonge.co.uk/), which shows it contains the following information:

{ "aud":"oidc_client" "sub":"demo" "azp":"oidc_client" "auth_time":1521625343 "iss":"http://ec2-34-214-168-20.us-west-2.compute.amazonaws.com:8080/openam/oauth2" "exp":1521625943 "iat":1521625343 "nonce":"12345678" "jti":"92777f45-f756-4dfc-982f-bfee02ae8990" "email":"demo!@abc.com" }

See Also

Using the REST STS in AM

Security Token Service Guide

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.