Support for encrypted JWT ID tokens (JWE)

Hello,

I’m interested in using origin client authentication with Istio, but I’d prefer that the claims in the JWT token are not visible to the end user, but only to the Identity provider and to the Resource server (my API) and obviously to Istio itself.
My understanding is that this is something that is normally solved by using JWE. However I haven’t found anything in the documentation or the source code about this being supported or even being planned in Istio.

Does anyone have any insights into this?

Thanks!
Bogdan

Hi @Bogdan_Dimitriu,

Could you solve this issue? I’m having the same problem with my solution.

Hi Bogdan and others,

Something like this level feature support would be needed to discuss and reviewed as a RFC in Security WG meeting. We can therefore see if there’s other alternative etc.

As for encryption of JWT token itself, I haven’t heard of any much other than this FQ.

For example, how do we encrypt into JWE? Does that mean Istio need to be able to work with those keys? Provided by Istio or pluggable by operator?