You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If the ID Token is encrypted, decrypt it using the keys and algorithms that the Client specified during Registration that the OP was to use to encrypt the ID Token. If encryption was negotiated with the OP at Registration time and the ID Token is not encrypted, the RP SHOULD reject it.
AFAIK, JWE are not often used. But as Symfony supports OIDC feature (experimentally), it could be interesting to support JWE. It concerns only OidcTokenHandler.
Question: should it be a new feature or a bugfix (as it's part of the Core Specification)?
Example
To decrypt a JWE, a public JWK is required. Hopefully, it is available on /certs endpoint on OIDC server, so we can import it dynamically (cf. #50434).
security:
firewalls:
main:
oidc:
# add new "encryption" optionencryption:
# proposal 1: same approach than "signature.key" option, the JWK is set here as JSON stringkey: '{"kid": "...","kty": "RSA","alg": "RS256","use": "sig","n": "3G..."}'# proposal 2: detect value is an URI, call it to import the JWKkey: 'https://www.example.com/protocol/openid-connect/certs'# proposal 3: add "certs" option non combinable with "key" to import and set "key" option dynamicallycerts: 'https://www.example.com/protocol/openid-connect/certs'
The text was updated successfully, but these errors were encountered:
I'd say it's a new feature given solving it implies to extend the configuration.
It concerns only OidcTokenHandler.
Note that pretty much everything may be encrypted in OIDC interactions, even UserInfo success responses used by OidcUserInfoTokenHandler. Use cases are probably even less common though.
Description
The OIDC Core Specification recommends to decrypt the ID Token if it's encrypted:
AFAIK, JWE are not often used. But as Symfony supports OIDC feature (experimentally), it could be interesting to support JWE. It concerns only OidcTokenHandler.
Question: should it be a new feature or a bugfix (as it's part of the Core Specification)?
Example
To decrypt a JWE, a public JWK is required. Hopefully, it is available on
/certs
endpoint on OIDC server, so we can import it dynamically (cf. #50434).The text was updated successfully, but these errors were encountered: