Identityserver4: Consider JWE

https://github.com/brentschmaltz/Wilson5x/blob/master/src/CreateTokens/CreateTokens/Program.cs#L39

10.2. Encryption

The encrypting party MUST select an encryption algorithm based on the algorithms supported by the recipient.

Asymmetric Encryption: RSA
The public key to which the content was encrypted MUST be a public key used for encryption published by the recipient in its JWK Set document. If there are multiple keys in the referenced JWK Set document, a kid value MUST be provided in the JOSE Header. Use the supported RSA encryption algorithm to encrypt a random Content Encryption Key to be used for encrypting the signed JWT. The key usage of the respective keys MUST include encryption.

Asymmetric Encryption: Elliptic Curve
Create an ephemeral Elliptic Curve public key for the epk element of the JOSE Header. The other public key used for the key agreement computation MUST be a public key published by the recipient in its JWK Set document. If there are multiple keys in the referenced JWK Set document, a kid value MUST be provided in the JOSE Header. Use the ECDH-ES algorithm to agree upon a Content Encryption Key to be used for encrypting the signed JWT. The key usage of the respective keys MUST support encryption.

Symmetric Encryption
The symmetric encryption key is derived from the client_secret value by using a left truncated SHA-2 hash of the octets of the UTF-8 representation of the client_secret. For keys of 256 or fewer bits, SHA-256 is used; for keys of 257-384 bits, SHA-384 is used; for keys of 385-512 bits, SHA-512 is used. The hash value MUST be left truncated to the appropriate bit length for the AES key wrapping or direct encryption algorithm used, for instance, truncating the SHA-256 hash to 128 bits for A128KW. If a symmetric key with greater than 512 bits is needed, a different method of deriving the key from the client_secret would have to be defined by an extension. Symmetric encryption MUST NOT be used by public (non-confidential) Clients because of their inability to keep secrets.

any timeline for this future?

Not right now. Does your company need it?

Yes, it would definitely help and if not as work around i've to go through TokenService. It will be really great if we get in build support

OK - if you company likes to sponsor the feature we can prioritize it.

please see my example implementations : https://github.com/DureSameen/IdentityServer4.JWE

Encrypting identity tokens is possible with the current extensibility points: https://www.scottbrady91.com/Identity-Server/Encrypting-Identity-Tokens-in-IdentityServer4

Encrypting identity tokens is possible with the current extensibility points: https://www.scottbrady91.com/Identity-Server/Encrypting-Identity-Tokens-in-IdentityServer4

yes scott, your article was so useful.. when I developed my sample

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.