PingAM 7.5.0

/oauth2/connect/rp/jwk_uri

As well as acting as the provider, AM can also act as the relying party. To share its client public secrets, AM exposes a JSON web key (JWK) URI endpoint for each realm.

Use this endpoint during Ping Identity Platform social identity registration, where providers can use the exposed secrets to:

  • Encrypt ID tokens returned to AM.

  • Verify the signature of JWTs coming from AM, such as that of request objects or client authentication JWTs.

  • Decrypt client authentication JWTs coming from AM.

Specify the AM realm path in the URI, as follows:

/oauth2/realms/root/realms/alpha/connect/rp/jwk_uri

Example:

$ curl https://openam.example.com:8443/openam/oauth2/realms/root/realms/alpha/connect/rp/jwk_uri
{
  "keys": [
    {
      "kty": "RSA",
      "kid": "DkKMPE7hFVEn77WWhVuzaoFp4O8=",
      "use": "enc",
      "x5t": "JRxY4hJRL3sI_dAUWUEosCEQJ3A",
      "x5c": [
        "MIIDYTCCAkm…​eP4wLr3cM="
      ],
      "n": "i7t6m4d_02dZ8dOe-DFc…​zflF8jR9pewTbQ",
      "e": "AQAB"
    },
    {
      "kty": "RSA",
      "kid": "wU3ifIIaLOUAReRB/FG6eM1P1QM=",
      "use": "sig",
      "x5t": "5eOfy1Nn2MMIKVRRkq0OgFAw348",
      "x5c": [
        "MIIDdzCCAl+gAwIBAgIES3eb+zANBgk…​s009kbW6inN8zA6"
      ],
      "n": "10iGQ5l5IdqB…​AJW4ZSg1PPO2UJSQ",
      "e": "AQAB"
    }
  ]
}

Supply the JWK URI to the provider when registering AM as a relying party. Consult the documentation provided by your OpenID provider for more information.

The JWK URI endpoint publishes keys based on secret mappings made either globally, or in the specific realm.

The secret labels to map are as follows:

am.services.oauth2.oidc.rp.jwt.authenticity.signing

The OpenID Connect provider obtains the public key from the alias mapped to this secret, and uses it to verify the signature applied to request objects it receives.

All aliases configured for the secret label are published at the endpoint so that, when you rotate secrets, the provider is still able to validate JWTs with all the secrets.

The active secret is the only one that AM uses for signing, however.

am.services.oauth2.oidc.rp.idtoken.encryption

The OpenID Connect provider obtains the public key from the alias mapped to this secret, and uses it to encrypt ID tokens and userinfo endpoint data in JWT format before returning it to AM.

Unlike the signing secret label above, only the alias that is marked as active in the mappings is published at the endpoint. Any additional mappings are ignored.

am.services.oauth2.mtls.client.authentication

The OpenID Connect provider obtains the public JWK from the alias mapped to this secret, and uses it to verify the mutual TLS self-signed certificate that the client uses to authenticate.

Secrets configured globally will show in the JWK URI for all realms.

In a new AM installation, these signing and encryption secret labels are mapped by default, as explained in the table below:

Decrypt ID tokens

This table shows the secret label mapping to support decryption of ID tokens and userinfo endpoint data in JWT format when AM is configured as a relying party of the Social Identity Provider Service:

Secret label Default alias Algorithms

am.services.oauth2.oidc.rp.idtoken.encryption

test

Consult the .well-known endpoint of the identity provider.

The public key is exposed in the /oauth2/connect/rp/jwk_uri.

For more information about the algorithms supported, and how to configure this secret label mapping, refer to Social authentication.

Sign JWTs and objects

This table shows the secret label mapping that AM uses to sign JWTs and objects when configured as a relying party of the Social Identity Provider Service:

Secret label Default alias Algorithms

am.services.oauth2.oidc.rp.jwt.authenticity.signing

rsajwtsigningkey

Consult the .well-known endpoint of the identity provider.

The public key is exposed in the /oauth2/connect/rp/jwk_uri.

For more information about the algorithms supported, and how to configure this secret label mapping, refer to Social authentication.

In upgraded AM instances, the secret labels won’t have default aliases mapped, and the JWK URI endpoint returns an empty JWK set.

By default, secret labels are mapped to demo keys contained in the default keystore provided with AM and mapped to the default-keystore secret store. Use these keys for demo and test purposes only. For production environments, replace the secrets as required and create mappings for them in a secret store configured in AM.

For details about managing secret stores and mapping secret labels to aliases, refer to Secrets, certificates, and keys.