Configuring an OpenID Connect Client to use the RSA-SHA256 algorithm for signing ID tokens

You can sign ID tokens with an OpenID Connect Client by setting the RSA-SHA256 (RS256) algorithm on the signatureAlgorithm attribute and configuring the OpenID Connect Relying Party (RP).

Before you begin

Both the Liberty OpenID Connect Relying Party (RP) and OpenID Provider (OP) default the signature algorithm to HS256, which is HMAC with SHA-256. Your RP signature algorithm must match the OP signature algorithm, and many OPs do not support HS256. In the steps that follow, you set the RP signature algorithm to RS256 to override the default of HS256.

About this task

You can configure an OpenID Connect Client to use the RSA-SHA256 signature algorithm for the signature verification of ID tokens. Set the signatureAlgorithm to RS256 and configure a jwkEndpointUrl endpoint or a combination of trustStoreRef and trustAliasName attributes to indicate the public key to use for signature verification.

Procedure

  1. Edit the server.xml file for your OpenID Connect RP.
  2. Add the signatureAlgorithm attribute with a value of RS256 to the openidConnectClient element. 
    signatureAlgorithm="RS256"
  3. Configure the RP.

    Complete one of the following options:

    • If your OP supports a JSON Web Key (JWK) endpoint, configure your RP to use it.

      Add the following attribute to your openidConnectClient configuration.

      Attribute Description Example
      jwkEndpointUrl Specifies the OP JWK endpoint URL. jwkEndpointUrl="https://www.googleapis.com/oauth2/v3/certs"
    • Configure the RP to use a local key.

      Add the following attributes to your openidConnectClient configuration.

      Attribute Description Example
      trustStoreRef The keystore that contains the public key necessary for verifying the signature of the ID token. trustStoreRef="defaultKeyStore"
      trustAliasName Key alias name to locate the public key for signature validation with an asymmetric algorithm. This attribute is the public certificate of the OP private key that was used to produce the signature. trustAliasName="googleG3"