Configuring an OpenID Connect Provider to use the RSA-SHA256 algorithm for signing of ID tokens

You can configure an OpenID Connect Provider to use the RS256 algorithm for the signing of ID tokens.

About this task

You can configure an OpenID Connect Provider to use the RSA-SHA256 signature algorithm for signing ID tokens by setting the signatureAlgorithm to RS256 and configuring a keystore with the private key used for signing.


  1. Set the OpenID Connect Provider signatureAlgorithm attribute to RS256.
  2. You can configure the Liberty OP to sign an ID Token with an X509 Certificate in a physical keystore, or a self-generated RSA key pair that is a periodically regenerated and published public key to the JWK in jwks_uri location.
    1. Optional: X509 certificate
      In the server.xml file, create a keystore element that refers to the physical keystore that contains the private key that is capable of performing an RSA-SHA256 signature algorithm. For example:
      <keyStore id="opTestKeyStore" location="${server.config.dir}/opKeyStore.jks" type="JKS" password="keystorePwd" />
      Set the keyStoreRef attribute to the id value of the keystore element that is used in step 1, and set the keyAliasName to locate the private key in the keystore. For example:
      <openidConnectProvider id="OAuthConfigSample" oauthProviderRef="OAuthConfigSample" signatureAlgorithm="RS256" keyStoreRef="opTestKeyStore" keyAliasName="myOpKeyAlias" />
    2. Optional: JWK

      To dynamically generate a signing key pair, and publish a public key to JWK, you add jwkEnabled="true". The key pair is regenerated every 12 hours, and you can configure jwkRotationTime to modify the frequency.


You have now configured an OpenID Connect Provider for signing ID tokens with RSA-SHA256.