In OpenAM 13.0.0 the authID token is signed by a random key generated when OpenAM starts. In a multi-instance deployment the keys are different and if the server where authentication takes place is different from the server where the authID was generated, the second server will not be able to validate the authID token and will generate the "AuthId JWT Signature not valid".
I reproduced it the following way:
- Set up a deployment with two openam 13.0.0
- In Postman start authentication on server1 to openam.example.com:18080/openam/json/authenticate
- for the second step when returning credentials switch to the second server openam2.example.com:28080/openam/json/authenticate?
The answer I get is
When looking into the export configuration, the value that causes the issue is:
Replacing that value by a static key fixes the problem. The key needs to be a 128 bit random string base64 encoded.
To do that you can either use the console: under