Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Do OpenID Connect Providers encrypt then sign their JWTs?

My team is making an existing product an OpenID Connect RP (relying party) and are using connect2id's Nimbus JOSE + JWT library. That library supports signed and encrypted JWTs, but only signed first, then encrypted. They have their reasons for not supporting encrypt-then-sign, but our concern is that some of the OPs we need to interact with may do encrypt-then-sign.

We are initially targeting Salesforce and Google. I have been unable to determine from their documentation whether, when acting as OpenID Connect Providers, Salesforce and Google use sign-then-encrypt or encrypt-then-sign.

Can anyone point me to pages where this is documented for these OPs? Or is it a non-issue because no one uses encrypt-then-sign? Thanks.

like image 341
Michael Avatar asked Mar 14 '23 00:03

Michael


1 Answers

When/if encryption is used, Connect OPs will always sign and then encrypt, if they are following the specification. Section 2 of OpenID Connect Core says, "If the ID Token is encrypted, it MUST be signed then encrypted". Section 16.14, Signing and Encryption Order says the same thing in a little more detail.

like image 164
Brian Campbell Avatar answered Apr 13 '23 18:04

Brian Campbell