Request Object Encryption

By: Bahador Raha user 21 Nov 2017 at 4:43 a.m. CST

3 Responses
Bahador Raha gravatar
Hi, I previously asked a question about "Request Object Encryption" [here](https://support.gluu.org/identity-management/4728/request-object-encryption/) and received and answer which seemed incorrect or at least confusing and the thread was closed. I replied on it but did not get an answer and had to open a new ticket here: I asked about Request Object Encryption support by oxAuth and received this answer: > Yes, oxAuth supports encrypted JWE Authorization Request Object If this is true, I wonder why there is no key with encryption usage in jwks_uri of authorization server (The client cannot encrypt its authorization request object since there is no enc key in jwks_uri of authorization server) I also found [this](https://github.com/GluuFederation/oxAuth/issues/91) open issue which seems this feature is not yet supported by oxAuth.
Ubuntu 16.0
closed

Answers

By Michael Schwartz Account Admin 24 Nov 2017 at 12:08 p.m. CST

Copy
Michael Schwartz gravatar
The client registers its JWKS or jwks_uri during [client registration](http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata). The corresponding client private key would be used for request object encryption. The OP jwks_uri would be used for signing. Does that answer your question?

By Javier Rojas staff 24 Nov 2017 at 8:06 p.m. CST

Copy
Javier Rojas gravatar
Hello Bahador, Yes, oxAuth supports encrypted JWE Authorization Request Object and I have closed Issue #91 because it was a very old issue. https://github.com/GluuFederation/oxAuth/issues/91 I understand your concern about the "use=enc" attribute. oxAuth is using the same jwk for signing and for encryption. Although it is possible, it is recommended to generate a different set of keys one for signing and another for encryption. I will update the set of keys in server and client tests to use different keys for signing and encryption. https://github.com/GluuFederation/oxAuth/issues/699 There is a tool to generate new sets of keys at: https://github.com/GluuFederation/oxAuth/blob/master/Client/src/main/java/org/xdi/oxauth/util/KeyGenerator.java Regards Javier

By Bahador Raha user 25 Nov 2017 at 5:12 a.m. CST

Copy
Bahador Raha gravatar
Hi Michael, thanks for your reply. but I think you are wrong. The client encrypts its request using oxAuth public key, thus only oxauth can decrypt it using its private key and see its content. Thanks Javier for the update.

Post an answer