SecureAuth IdP Version affected: 9.0+
Description:
SecureAuth IdP clients might have sensitive data included in the JWT id_token that they might want to encrypt. While TLS will encrypt the traffic which will mitigate most attack vectors, there might be scenarios where the data requires additional privacy. JWE will encrypt the payload of the JWT only.
The documentation isn't clear on how to provide a certificate for encryption.
Resolution:
The OAuth or Oidc client will provide you with a URI which enumerates JWK for the client. This URI must have a specifc node with the attribute { "use": "enc" } for the encryption JWK and the base64 encoded x509 certificate must be provided in the { "x5c" : "<encoded_cert_here>" > }. Otherwise, IdP will silently fail the encryption and send the token as cleartext base64.
Configuration can be found at Post Authentication > Client > Client Details
Provide the JWK URI that the client provides in the fields below, and enable JWE.
Comments
Please sign in to leave a comment.