OpenAM OpenID connect token verification

Question

Using the OpenAM OpenID connect agent, I have created an OAuth 2.0/ OpenID connect client named Test-Client with a scope of openid.

My OpenAM instance is deployed on Tomcat 7, and I have adjusted my /etc/hosts file to show localhost as openam.example.com.

Using the default credentials, I can retrieve an OpenID Connect id token using the following:

curl -k -u Test-Client:password -d "grant_type=password&username=demo&password=changeit&scope=openid" -H "Content-Type: application/x-www-form-urlencoded" "http://openam.example.com:8080/openam/oauth2/access_token"

I can then retrieve the OpenID user info if my bearer token is still valid with (where access token is returned by the above command):

curl POST -H "Authorization: Bearer {{access_token}}" -k -v "http://openam.example.com:8080/openam/oauth2/userinfo"

My question:

How do I find the secret used to sign the id_token JWT?

Ján Halaša Ján Halaša · Accepted Answer · 2017-04-14T07:13:08

I don't have any experience with Open AM, but to verify an ID token, you need to get the a correct public key of the OpenID Connect provider (if the key was signed by an asymmetric cipher). To get it, you should read its discovery document, which should be located at /.well-known/openid-configuration. In the returned JSON document, find a jwks_uri value and load that URL. You will get another JSON document with all public keys of the server. Then you need to find one with kid (key ID) value matching kid from the ID token.

If the token was signed a symmetric cipher, there is no standardized way for its distribution.

For more info see:

OpenAM OpenID connect token verification

1 Answers