ID Token encryption (JWE) according to OIDC specification #3612
Replies: 1 comment 2 replies
-
|
Hello @megical-access Ory does take security seriously and uses various encryption methods to secure tokens and keys. For instance, Ory OAuth2 and OpenID Connect generate two cryptographic keys for each Ory Network project, and these keys are stored securely and encrypted at rest using AES256-GCM and the system secret (source). If this is something you would like to use in your company, I would recommend to contact the team and start a conversation! |
Beta Was this translation helpful? Give feedback.
-
|
The JWT generated by Hydra are signed, so integrity is protected. A signed JWT does not give any confidentiality, as the content is not encrypted. If confidentiality is required, Hydra would need to support generating a JWE. If I understand the question correctly, it is not related to how encryption at rest is done but if support for JWE is planned. |
Beta Was this translation helpful? Give feedback.
-
|
@gi-wg2 I think it would be a good addition, but AFAIK it is not directly planned yet. |
Beta Was this translation helpful? Give feedback.
-
Hi, does ORY have any plans to support ID token encryption in the future? ID token may include sensitive claims about user and at least in Finnish Trust Network it is mandatory feature. I think that in the near future also eIDAS context will require it for some ACRs.
Beta Was this translation helpful? Give feedback.
All reactions