Support IdTokens which are returned encrypted in the code exchange response #26566
Conversation
sberyozkin
force-pushed
the
encrypted_id_token
branch
2 times, most recently
from
70970bc to
11fbfd3
Compare
|
Sorry for last force pushes, I only seem to notice doc typos when I open a main branch PR :-) |
This comment has been minimized.
This comment has been minimized.
sberyozkin
force-pushed
the
encrypted_id_token
branch
from
11fbfd3 to
2cde7f0
Compare
|
I'll need to check PEM formatted keys |
sberyozkin
force-pushed
the
encrypted_id_token
branch
from
2cde7f0 to
28f80c3
Compare
This comment has been minimized.
This comment has been minimized.
sberyozkin
force-pushed
the
encrypted_id_token
branch
from
28f80c3 to
cdfb790
Compare
|
@sberyozkin LGTM. As discussed, perhaps we can fallback to the private key already configured for the client (e.g.: authentication) to decrypt tokens. I think that would make things easier for those relying on the same keys for signing and encrypting. |
|
Thanks @pedroigor, it is a good idea, and in fact it has helped me realize the current solution is not good enough, because it does not work in a multi-tenancy case :-), so this PR will need more work. |
sberyozkin
force-pushed
the
encrypted_id_token
branch
from
cdfb790 to
fdf55d8
Compare
|
@pedroigor Sorry, got confused on Friday, it works as is right now for the multi-tenancy case but indeed, will have a look at the fallback to the private_key_jwt authentication key idea |
sberyozkin
force-pushed
the
encrypted_id_token
branch
from
fdf55d8 to
3fa08ec
Compare
|
Hey @pedroigor So, I've added an option to fallback to the client private key if the |
Fixes #26317.
OIDCspec allows for IdTokens being inner-signed and encrypted as opposed to signed only which is a typical case.At the moment Quarkus will treat the encrypted tokens as opaque tokens and forward them for the remote introspection to the providers with the token content expected to be returned in the introspection response.
However, the case in #26317 is different. The provider is set up with the client public key only which it uses to encrypt the token while the private key is not known to the provider and only the client/Quarkus endpoint can be aware of it.
This PR adds a
quarkus.oidc.token.decryption-key-locationproperty which for now is only used for decrypting the id tokens but might be used for decrypting the access tokens in the future too.RSA-OAEP/A256GCMpair of algorithms is used by default but it will become customizable once such a requirement arises.If this key location is set and IDToken is considered to be encrypted then it will decrypt it.
The important thing is that it should not be saved in a decrypted form in a session cookie (which is what happens with a workaround in #26317) since it will conflict with the purpose of encrypting the ID token on the provider level - it is done only if IdToken is considered to contain sensitive claims