Skip to content

Configuring OpenID Connect Authorization Server

This topic guides you through configuring the OpenID Connect Authorization Server by configuring the deployment.toml file found in the <IS_HOME>/repository/conf/ directory.

id_token_builder= org.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder
claim_callback_handler= org.wso2.carbon.identity.openidconnect.SAMLAssertionClaimsCallback
user_info_claim_retriever= org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoUserStoreClaimRetriever
user_info_access_token_validator= org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoISAccessTokenValidator

user_info.response_type= "json"

issuer= ${carbon.protocol}://${}:${}/oauth2/token

id_token_validity= 3600

consent_prompt= true

sign_auth_response_with_tenant_of= "user"

The following sub elements are the important configurations for configuring the OpenID Connect Authorization Server.

Element Description
issuer The value of issuer of the IDToken . This should be changed according to the deployment values.
id_token_validity The expiration value of the IDToken in seconds.
claim_callback_handler This can be used to return extra custom claims with the IDToken . You can implement a claims call back handler to push the custom claims to the IDToken . This class needs to implement the interface CustomClaimsCallbackHandler . You can find the default implementation here as a reference.
user_info_claim_retriever Defines the class which builds the claims for the User Info Endpoint's response. This class needs to implement the interface UserInfoClaimRetriever . The default implementation can be found here as a reference.

The value that is set to get JWT response from user info endpoint. Change the value as follows: