Configure an OpenID Connect Provider to use the RSA-SHA256 algorithm for signing of ID tokens
We can configure an OpenID Connect Provider to use the RS256 algorithm for the signing of ID tokens.
We can configure an OpenID Connect Provider to use the RSA-SHA256 signature algorithm for signing ID tokens by setting the signatureAlgorithm to RS256 and configuring a keystore with the private key used for signing.
- In server.xml, create a keystore element that is the physical keystore containing the private key that is capable of performing a RSA-SHA256 signature algorithm. For example:
<keyStore id="opTestKeyStore" location="${server.config.dir}/opKeyStore.jks" type="JKS" password="keystorePwd" />
- Set the OpenID Connect Provider signatureAlgorithm attribute to RS256, set thekeyStoreRef attribute to the id value of the keystore element used in step 1, and set the keyAliasName to locate the private key in the keystore. Setting the keyStoreRef is optional if the keystore element id used in step 1 is opKeyStore. For example:
<openidConnectProvider id="OAuthConfigSample" oauthProviderRef="OAuthConfigSample" signatureAlgorithm="RS256" keyStoreRef="opTestKeyStore" keyAliasName="myOpKeyAlias" />
Results
We have now configured an OpenID Connect Provider for signing ID tokens with RSA-SHA256.
Parent topic:Configure an OpenID Connect Provider
Concepts:
Authentication
OAuth Tasks:
Defining an OAuth service provider Enable SSL communication