You can configure an OpenID Connect Provider to use the
RS256 algorithm for the signing of ID tokens.
About this task
You can configure an OpenID Connect Provider to use the
RSA-SHA256 signature algorithm for signing ID tokens by setting the signatureAlgorithm to
RS256 and configuring a keystore with the private key used for signing.
Procedure
- In the server.xml file, create a keystore element
that refers to the physical keystore that contains the private key
that is capable of performing a RSA-SHA256 signature algorithm. For
example:
<keyStore id="opTestKeyStore" location="${server.config.dir}/opKeyStore.jks" type="JKS" password="keystorePwd" />
- Set the OpenID Connect Provider signatureAlgorithm attribute
to RS256, set thekeyStoreRef attribute
to the id value of the keystore element
that is used in step 1, and set the keyAliasName to
locate the private key in the keystore. Setting the keyStoreRef is
optional if the keystore element id used in step
1 is opKeyStore. For example:
<openidConnectProvider id="OAuthConfigSample" oauthProviderRef="OAuthConfigSample" signatureAlgorithm="RS256" keyStoreRef="opTestKeyStore" keyAliasName="myOpKeyAlias" />
Results
You have now configured an OpenID Connect Provider for signing
ID tokens with RSA-SHA256.