Configuring OpenID Connect Authorization Server

This topic guides you through configuring the OpenID Connect Authorization Server by modifying the identity.xml file found in the <PRODUCT_HOME>/repository/conf/identity/ directory.

The <OpenIDConnect> element contains the sub elements which can be configured accordingly as explained below.

<OpenIDConnect>
            <IDTokenBuilder>org.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder</IDTokenBuilder>
            <!--
                Default value for IDTokenIssuerID, is OAuth2TokenEPUrl.
                If that doesn't satisfy uncomment the following config and explicitly configure the value
            -->
            <IDTokenIssuerID>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/token</IDTokenIssuerID>
            <IDTokenCustomClaimsCallBackHandler>org.wso2.carbon.identity.openidconnect.SAMLAssertionClaimsCallback</IDTokenCustomClaimsCallBackHandler>
            <IDTokenExpiration>3600</IDTokenExpiration>
            <UserInfoEndpointClaimRetriever>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoUserStoreClaimRetriever</UserInfoEndpointClaimRetriever>
            <UserInfoEndpointRequestValidator>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInforRequestDefaultValidator</UserInfoEndpointRequestValidator>
            <UserInfoEndpointAccessTokenValidator>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoISAccessTokenValidator</UserInfoEndpointAccessTokenValidator>
            <UserInfoEndpointResponseBuilder>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoJSONResponseBuilder</UserInfoEndpointResponseBuilder>
            <SkipUserConsent>false</SkipUserConsent>
			<!-- Sign the ID Token with Service Provider Tenant Private Key-->
 			<SignJWTWithSPKey>false</SignJWTWithSPKey>  
        </OpenIDConnect>

The following sub elements are the important configurations for configuring the OpenID Connect Authorization Server.

Element	Description

Element	Description
`<IDTokenIssuerID>`	The value of `TokenIssuerID` of the `IDToken`. This should be changed according to the deployment values.
`<IDTokenExpiration>`	The expiration value of the `IDToken` in seconds.
`<IDTokenCustomClaimsCallBackHandler>`	This can be used to return extra custom claims with the `IDToken`. You can implement a claims call back handler to push the custom claims to the `IDToken`. This class needs to implement the interface `CustomClaimsCallbackHandler`. You can find the default implementation here as a reference.
`<UserInfoEndpointClaimRetriever>`	Defines the class which builds the claims for the User Info Endpoint's response. This class needs to implement the interface `UserInfoClaimRetriever`. The default implementation can be found here as a reference.