Support for encrypted JWT ID tokens (JWE)

Bogdan_Dimitriu · October 2, 2019, 10:23am

Hello,

I’m interested in using origin client authentication with Istio, but I’d prefer that the claims in the JWT token are not visible to the end user, but only to the Identity provider and to the Resource server (my API) and obviously to Istio itself.
My understanding is that this is something that is normally solved by using JWE. However I haven’t found anything in the documentation or the source code about this being supported or even being planned in Istio.

Does anyone have any insights into this?

Thanks!
Bogdan

guivands · January 22, 2021, 6:59pm

Hi @Bogdan_Dimitriu,

Could you solve this issue? I’m having the same problem with my solution.

incfly · January 22, 2021, 9:31pm

Hi Bogdan and others,

Something like this level feature support would be needed to discuss and reviewed as a RFC in Security WG meeting. We can therefore see if there’s other alternative etc.

As for encryption of JWT token itself, I haven’t heard of any much other than this FQ.

incfly · January 22, 2021, 9:32pm

For example, how do we encrypt into JWE? Does that mean Istio need to be able to work with those keys? Provided by Istio or pluggable by operator?

Topic		Replies	Views
JWT and Authorization Security	7	943	July 2, 2019
How to decrypt a JWT Security	1	391	May 17, 2022
Istio maturity observations	1	833	April 23, 2020
Externally provided JWT Auth Token	0	340	October 3, 2019
Newbie Question on Authorization and JWT Contributors	2	559	January 20, 2020

Support for encrypted JWT ID tokens (JWE)

Related Topics