Encrypt ID token - OIDC App Configuration

continent34 · May 16, 2024, 7:32pm

Hello!

I’m doing an OIDC application configuration in Okta that has to adhere to Federation Assurance Level (FAL) compliance per NIST SP 800-63 guidelines:

FAL1 permits the RP to receive a bearer assertion from an IdP; the IdP must sign the assertion using approved cryptography.
FAL2 adds the requirement that the assertion be encrypted using approved cryptography such that the RP is the only party that can decrypt it.

Our system could be FAL1, not FAL2 compliant but I am looking into verifying the following considerations before drawing any conclusions:

Is data in transit encrypted by Okta? (i.e. ID token information)
Does Okta support encryption of the ID token, like using JWE (JSON Web Encryption)?
Is the userinfo response considered a part of the assertion, and does Okta encrypt that data in transit?

nikitag · June 14, 2024, 11:22am

Hi there,

If you really need specific values encrypted you could look at using the token inline hook.
However some claims may not be modified using hooks too.

So depending on what you are looking to be encrypted, Okta may or may not support this.

In addition, you would also have to work around your own key system of what the hook uses to encrypt claims and how the client would have the corresponding public key, in order to achieve what you are looking for.

system · July 14, 2024, 11:22am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Post		Replies	Views
Encrypt jwt payload Questions	4	7941	January 16, 2021
Which API to use OAuth/OIDC	2	3458	June 25, 2020
OIDC PKCE flow for client API auth - best option? OAuth/OIDC	3	832	June 22, 2024
Can I create a custom OIDC IDP for a Single Page OIDC App WITHOUT client secret? OAuth/OIDC	2	204	July 3, 2024
Private_key_jwt token OAuth/OIDC dotnet , api	1	4165	February 12, 2024

Encrypt ID token - OIDC App Configuration

Related topics