Encrypt ID token - OIDC App Configuration


I’m doing an OIDC application configuration in Okta that has to adhere to Federation Assurance Level (FAL) compliance per NIST SP 800-63 guidelines:

  1. FAL1 permits the RP to receive a bearer assertion from an IdP; the IdP must sign the assertion using approved cryptography.
  2. FAL2 adds the requirement that the assertion be encrypted using approved cryptography such that the RP is the only party that can decrypt it.

Our system could be FAL1, not FAL2 compliant but I am looking into verifying the following considerations before drawing any conclusions:

  1. Is data in transit encrypted by Okta? (i.e. ID token information)

  2. Does Okta support encryption of the ID token, like using JWE (JSON Web Encryption)?

  3. Is the userinfo response considered a part of the assertion, and does Okta encrypt that data in transit?