I’m interested in using origin client authentication with Istio, but I’d prefer that the claims in the JWT token are not visible to the end user, but only to the Identity provider and to the Resource server (my API) and obviously to Istio itself.
My understanding is that this is something that is normally solved by using JWE. However I haven’t found anything in the documentation or the source code about this being supported or even being planned in Istio.
Something like this level feature support would be needed to discuss and reviewed as a RFC in Security WG meeting. We can therefore see if there’s other alternative etc.
As for encryption of JWT token itself, I haven’t heard of any much other than this FQ.