You can configure an OpenID Connect Provider to use the
RS256 algorithm for the signing of ID tokens.
About this task
You can configure an OpenID Connect Provider to use the
RSA-SHA256 signature algorithm for signing ID tokens by setting the signatureAlgorithm to
RS256 and configuring a keystore with the private key used for signing.
Procedure
- Set the OpenID Connect Provider signatureAlgorithm attribute to
RS256.
- You can configure the Liberty OP to sign an ID Token with an X509 Certificate in a physical
keystore, or a self-generated RSA key pair that is a periodically regenerated and published public
key to the JWK in jwks_uri location.
- Optional: X509 certificate
In the
server.xml file, create a keystore element that refers to the
physical keystore that contains the private key that is capable of performing an RSA-SHA256
signature algorithm. For example:
<keyStore id="opTestKeyStore" location="${server.config.dir}/opKeyStore.jks" type="JKS" password="keystorePwd" />
Set the
keyStoreRef attribute to the id value of the keystore element that is
used in step 1, and set the
keyAliasName to locate the private key in the keystore.
For
example:
<openidConnectProvider id="OAuthConfigSample" oauthProviderRef="OAuthConfigSample" signatureAlgorithm="RS256" keyStoreRef="opTestKeyStore" keyAliasName="myOpKeyAlias" />
- Optional: JWK
To dynamically generate a signing key pair, and publish a public key to JWK, you add
jwkEnabled="true". The key pair is regenerated every 12 hours, and you can
configure jwkRotationTime to modify the frequency.
Results
You have now configured an OpenID Connect Provider for signing
ID tokens with RSA-SHA256.