Part of the OpenID certification. Uses keys registered with jwks_uri value [Dynamic] (OP-Registration-jwks_uri)
When you sign your JWT with the JWKs_uri (so with RS256) but that the "id_token_signed_response_alg" is set to HS256 in the OAuth2 client config, OpenAM will throw a 500 when checking the signature of this JWT.
OpenAM used the value of id_token_signed_response_alg to identify the algorithm to use for checking the signature. It should actually read the signature algorithm from the JWT header instead.
- Set the "id_token_signed_response_alg" to HS256
- When calling the access token endpoint, use the JWT for authenticating the client. It's the jwt Bearer as Authorization grant flow.
An access token
If you can, turn the value of "id_token_signed_response_alg" to RS256
The JWT that OpenAM received contains a kid, which identify the JWK that OpenAM should use. Therefore, OpenAM should deduce the signing algorithm used from the JWK, instead of reading the "id_token_signed_response_alg" value.