Generating JSON Web Keys for the OAuth flow


To use an OpenID Connect protocol for the OAuth client, you must generate JSON Web Keys (JWKs) and specify the OpenID Connect Issuer URL corresponding to the current FQDN of the tenant. Hence, the BMC Helix Single Sign-On server can sign the id_token, and the OpenID client can check the id_token signature.

 To support multiple domain applications when the BMC Helix SSO server is used as an OAuth server, and the BMC Helix SSO agent is used as an OAuth client, you need to generate JWKs.

  1. Log in to BMC Helix SSO the Admin Console. 
  2. Click OAuth2, and then select JWK.
  3. Click Generate

    Important

    You can generate a maximum of 12 JWKs.

The generated JWKs are RSA (used to secure communication with OpenID Connect clients) and EC (used to sign and validate JWT access tokens). These cryptographic keys enable the BMC Helix SSO server to securely authenticate and authorize applications hosted on different domains.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*