I’m currently developing a proof of concept for our organization. It is utilizing Okta as a member authentication for our digital channel. I have used the default Okta Authorization Server to secure an Azure API by locally validating the access token that is generated by the Okta user login process. One of our requirements is to pass some secret information in the jwt token. I was hoping to use the Authorization Server’s Claims facility to pass an encrypted user attribute in the payload of the jwt. I know that entire token is signed by a rotating certificate but this doesn’t hide the secrets. My question is whether it is possibly to encrypt any parts of the token? Ideally I’d like to add the member number and current date into a single encrypted field in the jwt payload so it can be decrypted and validated by the Azure Gateway.
We don’t currently support JWE tokens, so your statement is correct: access and ID tokens issued by an Okta Authorization Server are signed but not encrypted.
If you stored encrypted data on the user’s profile, you could configure the Authorization Server to include that data in the token, but the AS itself doesn’t do any encryption.
Thanks for clarifying Nate.