By: Bahador Raha user 05 Nov 2017 at 12:51 p.m. CST

2 Responses
Bahador Raha gravatar
Hi, As mentioned in the OpenID Connect Spec: > If the Authorization Server has advertised JWE encryption algorithms in the request_object_encryption_alg_values_supported and request_object_encryption_enc_values_supported elements of its Discovery Document, these are used by the Client to encrypt the JWT. , it is expected that gluu authorization server support "request object encryption", but there is no key with encryption usage in its jwks_uri which can be used by client to encrypt its request object. Is it supported by the gluu? If yes, should I add an encryption key to the jwks_uri? Thanks in advance

By Javier Rojas staff 08 Nov 2017 at 1:10 p.m. CST

Javier Rojas gravatar
Hello Bahador, Yes, oxAuth supports encrypted JWE Authorization Request Object. (Also supports encrypted id_token and user_info). In the configuration endpoint you can see the list of supported algorithms: https://ce-dev4.gluu.org/.well-known/openid-configuration ``` "request_object_encryption_alg_values_supported": [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ], "request_object_encryption_enc_values_supported": [ "A128CBC+HS256", "A256CBC+HS512", "A128GCM", "A256GCM" ], ``` Here is a complete example that uses Alg=RSA15 and Enc=A128CBCPLUSHS256 to encrypt the Authorization Request Object, the ID Token and the User Info: https://github.com/GluuFederation/oxAuth/blob/master/Client/src/test/java/org/xdi/oxauth/ws/rs/MultivaluedClaims.java#L2584 Best Regards Javier

By Bahador Raha user 12 Nov 2017 at 3:22 p.m. CST

Bahador Raha gravatar
Thanks for your reply. I wonder why there is no key with encryption usage in jwks_uri of authorization server (The client cannot encrypt its authorization request object since there is no enc key in jwks_uri of authorization server) Should I add a new key with enc usage to the authorization server's keystore, and if yes how to? **UPDATE**: I found [this](https://github.com/GluuFederation/oxAuth/issues/91) open issue in oxAuth. It seems this feature is not yet supported.