You can configure an OpenID Connect Provider to use the RS256 algorithm for the signing
of ID tokens.
About this task
You can configure an OpenID Connect Provider to use the RSA-SHA256 signature algorithm for
signing ID tokens by setting the signatureAlgorithm
to RS256 and configuring a
keystore with the private key used for signing.
Procedure
-
Set the OpenID Connect Provider
signatureAlgorithm
attribute to
RS256.
-
You can configure the Liberty OP to sign
an ID Token with an X509 Certificate in a physical keystore, or a self-generated RSA key pair that
is a periodically regenerated and published public key to the
JWK in jwks_uri
location.
-
Optional: X509 certificate
In the
server.xml file, create a keystore element that refers to the
physical keystore that contains the private key that is capable of performing an RSA-SHA256
signature algorithm. For example:
<keyStore id="opTestKeyStore" location="${server.config.dir}/opKeyStore.jks" type="JKS" password="keystorePwd" />
Set the
keyStoreRef
attribute to the id value of the keystore element that is
used in step 1, and set the
keyAliasName
to locate the private key in the keystore.
For example:
<openidConnectProvider id="OAuthConfigSample" oauthProviderRef="OAuthConfigSample" signatureAlgorithm="RS256" keyStoreRef="opTestKeyStore" keyAliasName="myOpKeyAlias" />
-
Optional: JWK
To dynamically generate a signing key pair, and publish a public key to JWK, you add
jwkEnabled="true"
. The key pair is regenerated every 12 hours, and you can
configure jwkRotationTime
to modify the frequency.
Results
You have now configured an OpenID Connect Provider for signing ID tokens with RSA-SHA256.