Configuration
The steps below summarizes how to configure the Token Server as OpenID Provider.
Configure JWT Keys for signing
Token Server allows to configure the algorithm and keys used for calculating digital signature of the ID Token.
Field | Required | Example value | Details |
---|---|---|---|
Discovery URL | Read-only | https://tokenserver.example.com/oauth/.well-known/openid-configuration | URL to Discovery endpoint |
Signing algorithm | Yes | RS256: RSASSA-PKCS1-v1_5 using SHA-256 (default) | The algorithm used for generating digital signature in JWT |
Next key | Read-only | db5aac2e-504b-4845-8900-4d64d2afd3ad | Identifier of the Next key |
Current key | Read-only | 59b04937-7a12-4ff7-9d27-67b55637da9f | Identifier of the Current key . This is the identifier referenced in KID field of the currently issued ID Tokens. |
Previous key | Read-only | a1328084-d75d-4ea7-a734-fe5257a5faff | Identifier of the Previous key . This field is empty upon initial creation of the keys. |
The Next key
and Current key
are generated during initial application startup.
For security reasons it is advised to periodically change the keys used for the digital signature. To ensure that the Relying Party
is able to validate the signature of the ID Tokens issued prior to key change, the Token Server provides the following key rotation mechanism:
upon clicking Rotate Keys
button, the Current key
becomes the Previous key
, the Next key
becomes the Current key
and a new Next key
is generated.
When modifying the algorithm, it requires the change of the underlying keys. As part of the change, the keys are rotated in a slightly
different way: the Current key
becomes the Previous key
and two new keys are generated - the Current key
and the Next key
.
For those algorithms that make use of RSA key it is possible to configure the strength of the key using following property:
TOKEN_SERVER_ADMIN_RSA_ENCRYPTION_STRENGTH=2048
The minimum RSA strength is 2048 bits
Web Client
Enable OpenID compliant grant type
- either Authorization Code
or Implicit
.
Enable OpenID Connect by adding openid
scope to either Default Scopes
or Additional Scopes
and configure OpenID specific settings as described
in Enabling OpenID Connect capability.
Identity Provider
A Relying Party may request additional claims as specified in OpenID Connect scopes. To enable the Token Server capability to retrieve these information it is required to enable User Info as described in Configure User Info Endpoint for Identity Provider associated with the web client.