Skip to end of metadata
Go to start of metadata


The goal of this guide is to describe a recipe of how to build a rapid model to test OpenID Connect with a simple as possible browser-based client.   This sample client can then be extended based upon any web language and/or framework of choice. 


Step 1: Prerequisites and Assumptions

Install JDK 1.8, Tomcat per their recommendations

It is assumed the FQDN for both instances is   These would not need to be the same in real world just used to make easy test environment.

OpenAM Installation video:

Step 2: Configure OAuth2/OpenID Connect Service (OpenAM)

First step is to configure the OpenAM to support OpenID Connect and thereby OAuth2.

Login into OpenAM Admin console as AmAdmin select the default realm and select Configure OAuth Provider link from Common Tasks


Next choose Configure OpenID Connect 

For the most part choose defaults.  It may be desired, at least until debugging is completed that the Lifetime settings are made rather high.


Towards the bottom of this screen select Always Return Claims in ID Tokens.

Step 3: Configure OAuth2/OpenID Client Configuration (OpenAM)

Create a new Agent of type OAuth2.0/OpenID Connect Client, call it MyClientID and password of password

This ID name can be different and unique for your deployment, but per this example stick with this name.


Edit the MyClientID settings and go with defaults, however a valid Redirection URIs needs to be available.

In this example with the sample application should be, http://localhost:8000 can be added.

Step 4: Setup Simple Client



mkdir ~/web

create index.html





  function gup( name, url ) {

    if (!url) url = location.href;

    name = name.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]");

    var regexS = "[\\?&]"+name+"=([^&#]*)";

    var regex = new RegExp( regexS );

    var results = regex.exec( url );

    return results == null ? null : results[1];



  var outString=""; 

  var idToken = gup('id_token');

  if (idToken!=null) outString = (JSON.parse(atob(idToken.split(/\./)[1])));

  if (idToken!=null) console.log(outString);

  if (idToken!=null) alert("Hello "+outString.sub);




<a href="">click</a>



Start Web Server

python -m SimpleHTTPServer 8000

Step 5: Loading OpenAM IDP Metadata into Sample

Step 6: Click on link and login 

Afterwards redirect back to client application and watch the Hello Alert box display the user.

Also, if choosing the developer console in the browser the entire unencoded JSON object is displayed.





  • No labels


  1. Unknown User (f.strada)


    I must get all informations about my subject (After login) , using openam rest service. What is the service which I must call?

    Unfortunately, in this example, the service returns only the username. I need this information: name, surname, mail and username of my subject.


  2. @fabio,    OpenAM has a checkbox on the OpenIDC Agent configuration admin page, that allows for sending claims in response.  Checking will send all of the selected claims in the token as well.   In addition you can create a custom claims script that will allow custom claims to be sent and if the checkbox is selected, they too will be sent upon the single request.