Enable JWT Encryption for OpenId Connect or OAuth 2.0 Realm

Follow
    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • SecureAuth IdP Version affected: 9.0+

    Description: 

    SecureAuth IdP clients might have sensitive data included in the JWT id_token that they might want to encrypt. While TLS will encrypt the traffic which will mitigate most attack vectors, there might be scenarios where the data requires additional privacy. JWE will encrypt the payload of the JWT only. 

    The documentation isn't clear on how to provide a certificate for encryption.

    Resolution:

    The OAuth or Oidc client will provide you with a URI which enumerates JWK for the client. This URI must have a specifc node with the attribute { "use": "enc" } for the encryption JWK and the base64 encoded x509 certificate must be provided in the { "x5c" : "<encoded_cert_here>" > }. Otherwise, IdP will silently fail the encryption and send the token as cleartext base64.

    Configuration can be found at Post Authentication > Client > Client Details

    Provide the JWK URI that the client provides in the fields below, and enable JWE.

     

    0 out of 0 found this helpful

    Comments

    0 comments

    Please sign in to leave a comment.