This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Configuring OpenID Connect Authorization Server

This topic guides you through configuring the OpenID Connect Authorization Server by modifying the identity.xml file found in the <PRODUCT_HOME>/repository/conf/identity/ directory. 

The <OpenIDConnect> element contains the sub elements which can be configured accordingly as explained below. 

<OpenIDConnect>
            <IDTokenBuilder>org.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder</IDTokenBuilder>
            <!--
                Default value for IDTokenIssuerID, is OAuth2TokenEPUrl.
                If that doesn't satisfy uncomment the following config and explicitly configure the value
            -->
            <IDTokenIssuerID>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/token</IDTokenIssuerID>
            <IDTokenCustomClaimsCallBackHandler>org.wso2.carbon.identity.openidconnect.SAMLAssertionClaimsCallback</IDTokenCustomClaimsCallBackHandler>
            <IDTokenExpiration>3600</IDTokenExpiration>
            <UserInfoEndpointClaimRetriever>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoUserStoreClaimRetriever</UserInfoEndpointClaimRetriever>
            <UserInfoEndpointRequestValidator>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInforRequestDefaultValidator</UserInfoEndpointRequestValidator>
            <UserInfoEndpointAccessTokenValidator>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoISAccessTokenValidator</UserInfoEndpointAccessTokenValidator>
            <UserInfoEndpointResponseBuilder>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoJSONResponseBuilder</UserInfoEndpointResponseBuilder>
            <SkipUserConsent>false</SkipUserConsent>
			<!-- Sign the ID Token with Service Provider Tenant Private Key-->
 			<SignJWTWithSPKey>false</SignJWTWithSPKey> 
        </OpenIDConnect>

The following sub elements are the important configurations for configuring the OpenID Connect Authorization Server.

ElementDescription
<IDTokenIssuerID>The value of TokenIssuerID of the IDToken. This should be changed according to the deployment values.
<IDTokenExpiration>The expiration value of the IDToken in seconds.
<IDTokenCustomClaimsCallBackHandler>This can be used to return extra custom claims with the IDToken. You can implement a claims call back handler to push the custom claims to the IDToken. This class needs to implement the interface CustomClaimsCallbackHandler. You can find the default implementation here as a reference.
<UserInfoEndpointClaimRetriever>Defines the class which builds the claims for the User Info Endpoint's response. This class needs to implement the interface UserInfoClaimRetriever. The default implementation can be found here as a reference.
<UserInfoEndpointResponseBuilder>

The value that is set to get JWT response from user info endpoint. Change the value as follows:

<UserInfoEndpointResponseBuilder>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoJWTResponse</UserInfoEndpointResponseBuilder>