Each realm configured for OAuth 2.0 exposes a JSON web key (JWK) URI endpoint that contains public keys that clients can use to:
Verify the signature of client-based access tokens and OpenID Connect ID tokens.
Encrypt OpenID Connect ID requests to AM sent as a JWT.
Where Do the Keys Come From?
By default, the endpoint exposes an internal URI relative to the AM deployment. For example, openam/oauth2/realms/root/connect/jwk_uri.
The keys appearing in that URI are those configured in the AM secret stores, regardless of the algorithms configured in the OAuth 2.0 provider. This is to support the process of deprecating keys/algorithms.
Secrets are configured by default; delete the ones you are not planning to use so that they are not exposed on the endpoint.
In environments where secrets are centralized, you may want AM to share the URI of your secrets API instead of the local AM endpoint. To configure it, go to Realms > Realm name > Services > OAuth2 Provider, and add the new URI to the Remote JSON Web Key URL field.
Note that HMAC-based algorithms, direct encryption, and AES key wrapping encryption algorithms use the client secret instead of a public key. Therefore, clients do not need to check the JWK URI endpoint for those algorithms.
The Endpoint is Exposed, But I Haven't Configured an OAuth 2.0 Provider Yet
Web and Java agents use an internal OAuth 2.0 provider to connect to AM. This provider exposes the endpoint so that agents can access the key configured for the am.global.services.oauth2.oidc.agent.idtoken.signing secret ID.
Tip
Configure the base URL source service to change the URL used in the .well-known endpoints used in OpenID Connect 1.0 and UMA.
The following table summarizes the high-level tasks you need to complete to manage the JWK URI endpoint in your environment:
| Task | Resources |
|---|---|
| Learn where to find and how to query the JWK URI endpoint. Clients need to find the endpoint to, for example, validate tokens signed by AM. | "To Access the Keys Exposed by the JWK URI Endpoint" |
| Control which keys are displayed. The JWK URI endpoint returns keys based on the secret mappings configured for the relevant OAuth 2.0/OpenID connect functionality. Therefore, to control which keys are displayed, ensure that you only map the secrets required in your environment. | "Configuring ID Token Signatures" |
| Learn how to deprecate algorithms and how to rotate public keys. You may need to perform these tasks to replace algorithms with more secure ones. | "Deprecating Algorithms and Rotating Public Keys" |
| Customize the key ID ( By default, AM generates a You need to customize AM if any exposed keys in your environment need a specific | "Customizing Public Key IDs". |
| Decide if the JWK URI endpoint should display duplicated key IDs By default, each If you have several algorithms and key types associated with one | "Displaying Every Algorithm and Key Type Associated to a Key ID". |
To Access the Keys Exposed by the JWK URI Endpoint
Perform the following steps to access the public keys:
To find the JWK URI that AM exposes, perform an HTTP GET at
/oauth2/realms/root/.well-known/openid-configuration. For example:$
curl https://openam.example.com:8443/openam/oauth2/realms/root/.well-known/openid-configuration{ "request_parameter_supported": true, "claims_parameter_supported": false, "introspection_endpoint": "https://openam.example.com:8443/openam/oauth2/introspect", "check_session_iframe": "https://openam.example.com:8443/openam/oauth2/connect/checkSession", "scopes_supported": [], "issuer": "https://openam.example.com:8443/openam/oauth2", "id_token_encryption_enc_values_supported": [ "A256GCM", "A192GCM", "A128GCM", "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512" ],... "jwks_uri": "https://openam.example.com:8443/openam/oauth2/connect/jwk_uri", "subject_types_supported": [ "public" ],...}By default, AM exposes the JWK URI as an endpoint relative to the deployment URI. For example,
https://openam.example.com:8443/openam/oauth2/realms/root/connect/jwk_uri.In environments where secrets are centralized, you may want AM to share the URI of your secrets API instead of the local AM endpoint.
See Alsoitsme® OpenID Connect documentationA Beginner's Guide to JWTsGenerate a JWE (JSON Web Encryption) Data ObjectRFC 7516: JSON Web Encryption (JWE)To configure it, go to Realms > Realm name > Services > OAuth2 Provider, and add the new URI to the Remote JSON Web Key URL field.
Perform an HTTP GET at the JWK URI to get the relevant public keys. For example:
$
curl https://openam.example.com:8443/openam/oauth2/realms/root/connect/jwk_uri{"keys":[ { "kty":"EC", "kid":"I4x/IijvdDsUZMghwNq2gC/7pYQ=", "use":"sig", "x5t":"GxQ9K-sxpsH487eSkJ7lE_SQodk", "x5c":[ "MIIB/zCCAYYCCQDS7UWmBdQtETAJ0mN0TZL7/MaY..." ], "x":"k5wSvW_6JhOuCj-9PdDWdEA4oH90RSmC2GTliiUHAhXj6rmTdE2S-_zGmMFxufuV", "y":"XfbR-tRoVcZMCoUrkKtuZUIyfCgAy8b0FWnPZqevwpdoTzGQBOXSNi6uItN_o4tH", "crv":"P-384" }, ... ]}
Configuring ID Token Signatures
ID tokens are signed by default with a test key configured during installation. Change this key on production-like and production environments.
To Configure ID Token Digital Signatures
Perform the steps in this procedure to configure the signing algorithm AM should use to sign OpenID Connect tokens:
Go to Realms > Realm Name > Services > OAuth2 Provider.
In the OpenID Connect tab, ensure that the ID Token Signing Algorithms supported list has the signing algorithms your environment requires.
AM supports the signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS.
Note that the alias mapped to the algorithms are defined in the secret stores, as shown in the table below:
Secret ID Mappings for Signing OpenID Connect Tokens
The following table shows the secret ID mapping used to sign OpenID Connect ID tokens:
Secret ID Default Alias Algorithms [a] am.services.oauth2.oidc.signing.ES256 es256test ES256 am.services.oauth2.oidc.signing.ES384 es384test ES384 am.services.oauth2.oidc.signing.ES512 es512test ES512 am.services.oauth2.oidc.signing.RSA rsajwtsigningkey PS256 PS384 PS512 RS256 RS384 RS512 am.services.oauth2.oidc.signing.EDDSA EdDSA with SHA-512 [a] The following applies to confidential clients only:
If you select an HMAC algorithm for signing ID tokens (
HS256,HS384, orHS512), the Client Secret property value in the OAuth 2.0 Client is used as the HMAC secret instead of an entry from the secret stores.Since the HMAC secret is shared between AM and the client, a malicious user compromising the client could potentially create tokens that AM would trust. Therefore, to protect against misuse, AM also signs the token using a non-shared signing key configured in the
am.services.oauth2.jwt.authenticity.signingsecret ID.By default, secret IDs are mapped to demo keys contained in the default keystore provided with AM and mapped to the
default-keystorekeystore secret store. Use these keys for demo and test purposes only. For production environments, replace the secrets as required and create mappings for them in a secret store configured in AM.For more information about managing secret stores and mapping secret IDs to aliases, see Configuring Secrets, Certificates, and Keys.
(Optional) If the client is configured in AM, go to Realms > Realm Name > Applications > OAuth 2.0 > Client Name.
Clients registering dynamically can see the algorithms that the provider supports by making a call to the
/oauth2/.well-known/openid-configurationendpoint.In the ID Token Signing Algorithm field, enter the signing algorithm that AM will use to sign the ID token for this client.
Note that the OAuth 2.0 provider must support signing with the chosen algorithm.
Save your changes.
AM is ready to sign ID tokens with the algorithm you configured.
Tip
If you chose a non-HMAC-based algorithm, the client will need to make a request to AM's JWK URI endpoint for the realm to recover the signing public key they can use to validate the ID tokens.
See AlsoJSON Web Encryption
Deprecating Algorithms and Rotating Public Keys
With signing and encryption methods changing so rapidly, during the lifecycle of your OAuth 2.0 environment you will need to deprecate older, less secure signing and/or encrypting algorithms in favor of new ones.
In the same way, you will rotate the keys AM uses for signing and encryption if you suspect they may have been leaked or just due to security policies, such as deprecating algorithms or because they have reached the end of their lifetime.
The keys you expose in the JWK URI endpoint should reflect the algorithms currently supported by AM as well as the deprecated ones. Otherwise, clients still using tokens signed with deprecated keys would not be able to validate them.
This is why deprecating supported algorithms in the OAuth 2.0/OpenID Connect provider is a two-step process:
Remove the old algorithm from the OAuth 2.0 provider supported algorithm list. This stops new clients from registering with that algorithm.
After a grace period, remove the secret mapping associated to that algorithm. This removes the associated public keys from the JWK URI endpoint.
To Deprecate Supported Algorithms and their Keys
Perform the steps in this procedure to deprecate an algorithm and its related keys. If you only want to deprecate keys or rotate them as part of your environment's security policies, see "Mapping and Rotating Secrets" instead.
(Optional) Configure the new algorithm, if required.
Go to Realms > Realm Name > Services > OAuth2 Provider > OpenID Connect.
(Optional) In the ID Token Signing Algorithm supported field, add the new signing algorithm, if not already present.
(Optional) In the ID Token Encryption Algorithms supported field, add the new encryption algorithm, if not already present.
Save your changes.
(Optional) Configure secret ID mappings for the keys using the new algorithm, if required.
For more information, see "Configuring Secret Stores".
Remove the algorithm to be deprecated from the relevant OAuth 2.0 provider algorithm list:
Go to Realms > Realm Name > Services > OAuth2 Provider > OpenID Connect.
(Optional) In the ID Token Signing Algorithm supported field, remove the deprecated signing algorithm.
(Optional) In the ID Token Encryption Algorithms supported field, remove the deprecated encryption algorithm.
Save your changes.
Decide on a grace period. For example, a month. During this period both the deprecated and the new algorithms/keys are supported.
New clients cannot register with the deprecated algorithms and are forced to use a supported algorithm. However, since the deprecated keys are still mapped to secret IDs, existing clients still can use them to validate active tokens and encrypt requests.
Existing clients must change their configuration during the grace period to use one of the supported algorithms.
After the grace period, remove the secret ID mappings relevant to the deprecated algorithm.
For more information about secret mappings, see "Mapping and Rotating Secrets".
Customizing Public Key IDs
By default, AM generates a key ID (kid) for each public key exposed in the jwk_uri URI when AM is configured as an OAuth 2.0 authorization server.
For keys stored in a keystore or HSM secret store, you can customize how key ID values are determined by writing an implementation of the KeyStoreKeyIdProvider interface and configuring it in AM:
To Customize Public Key IDs
Perform the following steps:
Write your own implementation of the
KeyStoreKeyIdProviderinterface that provides a specific key ID for a provided public key. For more information, see the KeyStoreKeyIdProvider interface in the Access Management 7.0.2 Java API Specification.Log in to the AM console on the service provider as a top-level administrative user, such as
amAdmin.Configure AM as an OAuth 2.0/OpenID Connect Provider, if not done already. For more information, see Authorization Server Configuration.
Go to Configure > Server Defaults > Advanced.
Add an advanced server property called
org.forgerock.openam.secrets.keystore.keyid.provider, whose value is the fully qualified name of the class you wrote in previous steps. For example:org.forgerock.openam.secrets.keystore.keyid.provider = com.mycompany.am.secrets.CustomKeyStoreKeyIdProvider
Restart the AM instance or the container in which it runs.
Verify that the customized key IDs are displayed by navigating to the OAuth 2.0 authorization server's
jwk_uriURI. For example,https://openam.example.com:8443/openam/oauth2/connect/jwk_uri.
Displaying Every Algorithm and Key Type Associated to a Key ID
By default, each key ID (kid) exposed by the jwk_uri endpoint matches a unique secret, as recommended by the RFC7517 specification. This means that each kid is of a particular key type, and uses a particular algorithm.
If you have several algorithms and key types associated with one kid, configure the JWK URI endpoint to display them as different keys in the JWK. Note that when including all combinations associated with a kid, that kid does not uniquely identify a particular secret.
Go to Realms > Realm Name > Services > OAuth2 Provider > Advanced OpenID Connect.
Enable Include all kty and alg combinations in jwk_uri.
Save your changes.
Verify that you can now see duplicate
kidentries for different combinations of algorithms and key types.For more information, see "To Access the Keys Exposed by the JWK URI Endpoint".
