OpenAM 13.5 documentation explains how to enable encryption for Identity tokens (OIDC). This means enabling encryption for the payload of the JWT message.
However, I have not been able to find in the documentation or directly in the OpenAM administraton console how to enable encryption for stateless OAuth2 access tokens (JWT-encoded).
Can someone confirm that encryption for OAuth2 stateless (JWT) tokens is not supported?
The thing is I have found this other opened JIRA issue regarding supported encrypton algorithms and reading the description I could understand that this is also supported for OAuth2 stateless tokens:_ "If JWT encryption is enabled for stateless sessions, OAuth2 stateless tokens or OpenID Connect ID Tokens, the only JWE algorithm we support currently is RSA"_(See https://bugster.forgerock.org/jira/browse/OPENAM-9373).
However, I was not able to see how to enable encryption for OAuth2 stateless tokens for OpenAM 13.5.
From my point of view, if encryption is currently not supported for OAuth2 stateless (JWT-encoded) tokens this is a important feature to add.
The reason is that OpenAM provides both OIDC and OAuth2 specifications.
For those cases where someone wants to use just OAuth2 (not OIDC - whatever the reason) using stateless tokens (that can be validated by Resource Servers (RS) without accessing a token introspection endpoint) it will be very common to include extra information the RS require in the payload of the JWT message (OAuth2 token). As this might be sensitive information it makes sense that the payload containing such information is encrypted.
I guess this makes sense in particular in microservices architectures (for instance) where the RS tend to be stateless and they need to build an 'Authentication' object with the minimal information related to the identity of the user in every request without having to query a token instrospection or user info endpoint for performance reasons (amongst other). A good example of this are the user 'Roles' or 'Authorities' if your want to combine access rules in your RS taking into account OAuth2 scopes and user roles / authorities.
In summary, I guess for scenarios similar to the one described above (that they are becoming more and more common) 2 things are necessary:
- Ability to add extra information to the stateless OAuth2 token (in the JWT payload). There is already an open issue for this: https://bugster.forgerock.org/jira/browse/OPENAM-8440
- Support encryption for the OAuth2 staless token (the JWT payload encrypted, not just the message signed).
Please let me know If I can help somehow or to provide arguments (or examples) in favour of the scenarios where I find this useful.
OAuth2 stateless tokens is a very powerful feature (from my point of view the way to go instead of using stateless and token validation endpoint - in most of the cases) but I think these two points are very important to leverage usage in certain scenarios that currently would be limited because they need to include extra information in the JWT encrypted.
Thanks and Regards,