Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

OneWelcome Identity Platform
- Explore Thales Docs

IDAAS core
User journey orchestration
Consent and preference management
Delegated user management
- Getting started
- Roles
- Rules
- User management
- Self service page
- Data
- APIs
- Apps
- Jobs
- Reports
Externalized authorization
Identity broker
Mobile identity
Mobile SDK
API references
Release notes and FAQ
Integrations

All

All

OAuth 2.0 and OpenID Connect

ID token encryption

IDAAS core
Tenants and brands
Identity store and data model
SCIM API
- SCIM schemas
- SCIM user management
- SCIM user attributes
- SCIM API versions
Credential store
- Email address management
- Password management
- Password migration
Tokens
- Access tokens
- ID tokens
- Refresh tokens
- Access token API
- Token introspection API
Authentication
- Client authentication methods
- Step-up authentication
- Custom authenticators
- Authentication FAQ
Custom registration
- Custom registration examples
- QR registration example
- Stateless custom registration
- Custom registration API v1
- Custom registration v2
- Back-channel communication API
OAuth 2.0 and OpenID Connect
- OAuth 2.0 and OpenID Connect API
- Proof Key for Code Exchange
- Dynamic client registration API
- OAuth client authentication methods
- Device flow
- OAuth OIDC error handling
- OAuth 2.0 and OpenID Connect setup
- OpenID Connect
- OpenID Connect authentication
- OpenID Connect scopes and claims
- User claims and attributes
- OpenID provider configuration
- ID token encryption
- iFrame session monitoring
  - Relying party iFrame
  - End session API
  - Session management APIs
- Relying party examples
- OAuth endpoints
- Discovery API
- JSON Web Key Set API
- User information API
- OAuth configuration
- OAuth consent API
Web clients
- Web clients API
- Migration of web clients with hashed secrets
- Resource owner password credentials
Web hooks
- Web hooks configuration API
API rules
Notification API
Event store
- Audit events
- Audit log
- Events API
- Excluded events
- Security events
Securing resources
User session API
User management
Uniquely identify guests
Email overview

Was this document helpful? Yes No

Feedback Sent!

If you like, you can provide additional feedback.

OneWelcome Identity Platform
IDAAS core
OAuth 2.0 and OpenID Connect
ID token encryption

ID token encryption

ID token encryption provides the confidentiality of the claims within the ID token.

Configure encryption

The OneWelcome Identity Platform must be configured to enable ID token encryption. The encryption method and JSON Web Key Sets (JWKS) endpoint must be configured to use encryption.

You can read more about configuring a web client with encryption support.

Choose an encryption method

Following OpenID Connect standards, several different encryption methods for a Content Encryption Key (CEK) are supported. This CEK is automatically generated based on the method that you choose, and the length varies accordingly. To see which encryption methods are supported, see the discovery API. You need to configure the encryption method on the web client and use it in your client application when decrypting the ID token.

Provide a JWKS endpoint for encryption

The OneWelcome Identity Platform supports a remote key set for encrypting the generated CEK. As the relying party, public keys must be shared using this endpoint, so the OneWelcome Identity Platform can retrieve them to encrypt the CEK. For help with implementation, see the documentation on OpenID Connect Encryption.

The endpoint that is served from your application must return a list of JWKS. For implementation details, see the RFC specification. A proper max-age directive must be included with the Cache-Control header as a part of the response. If none is provided, the time-to-live (TTL) defaults to the REDIS_DEFAULT_JWKS_URI_RESPONSE_TTL_SECONDS environment variable value. Make sure that you consider key rotation as described in the spec.

The OneWelcome Identity Platform supports several different asymmetric algorithms. For information about which algorithms are supported, see the discovery API.

Decryption library

To help with decryption in your application, you can use the Nimbus JOSE+JWT library. It contains constants for the encryption methods and algorithms that are supported by the OneWelcome Identity Platform implementation. It simplifies the code necessary for decrypting the JWE and verifying the signed JWT.

On this page

OneWelcome Identity Platform

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Support Contacts
Legal
- End User License Agreement
- Terms of Service

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com