3

Does Thinktecture.IdentityServer support encrypting the JWT tokens it issues, for example to protect the token from being used in a reply attack?

If yes, how can a client decrypt the encrypted token?

I have tried to enabling "Require Token Encryption" in the IdentityServer General Configuration, however after doing so when I try to login I get a "No encryption key available" message at the identity server web page.

Is there a problem or am I missing a required setting?

Crescent Fresh
  • 115,249
  • 25
  • 154
  • 140
Aggis Wu
  • 99
  • 1
  • 10

1 Answers1

5

Encryption is for confidentiality, not for preventing replay attacks.

The Microsoft jwt library does not support encryption. And we rely on that library.

leastprivilege
  • 18,196
  • 1
  • 34
  • 50
  • I have the other question is that I use https://abc.def.com/issue/oauth2/authorize and only use javascript to pass the parameters to identity server then I can get the Access Token. I just need use Base64Url to decode this Access Token. I don't want to let user or hacker can easy decode it. Is it possible that we can enhance this security issue? thanks again. – Aggis Wu Apr 30 '14 at 16:08
  • 1
    This is not a security issue per se. The token is signed and cannot be changed after it has been issued. Microsoft's library does not support encryption - so if confidentiality is an issue for you - you can't use the current JWT implementation. – leastprivilege May 01 '14 at 07:32
  • do you mean that no one can't change the token right? I try to put the access token to [Google JWT decoder](https://developers.google.com/wallet/digital/docs/jwtdecoder),then I got three patrs :header,claims,Signature. if someone try to change the claims then he re-wrap those information to a new access token. and pass this new token to my RP client is impossible or not? if not, may I use the header(x5t) string and Signature string to validate the new token at my RP client ? – Aggis Wu May 01 '14 at 12:38
  • 2
    That is not possible - because you would break the signature. – leastprivilege May 06 '14 at 06:50