Merge pull request #5738 from wso2/fixing-product-is-issue-26294-1764136498

Fix: Add OIDC Token Encryption documentation for all IS 7.x versions (Product IS issue #26294)

Author: himeshsiriwardana

en/asgardeo/docs/guides/authentication/oidc/encrypt-decrypt-id-tokens.md

@@ -0,0 +1 @@
+{% include "../../../../../includes/guides/authentication/oidc/encrypt-decrypt-id-tokens.md" %}

en/asgardeo/docs/guides/authentication/oidc/id-token-encryption-reference.md

@@ -0,0 +1 @@
+{% include "../../../../../includes/guides/authentication/oidc/id-token-encryption-reference.md" %}

en/asgardeo/mkdocs.yml

@@ -347,6 +347,9 @@ nav:
             - Tokens and validation:
               - Validate tokens at a resource server: guides/authentication/oidc/token-validation-resource-server.md
               - Validate ID tokens: guides/authentication/oidc/validate-id-tokens.md
+              - Encrypt ID tokens: 
+                - Encrypt and decrypt ID tokens: guides/authentication/oidc/encrypt-decrypt-id-tokens.md
+                - ID token encryption reference: guides/authentication/oidc/id-token-encryption-reference.md
               - Request user information: guides/authentication/oidc/request-user-info.md
               - Revoke tokens: guides/authentication/oidc/revoke-tokens.md
               - Configure token exchange: guides/authentication/configure-token-exchange.md

en/identity-server/7.0.0/docs/assets/img/guides/jwks-uri.png

@@ -0,0 +1 @@
+{% include "../../../../../../includes/guides/authentication/oidc/encrypt-decrypt-id-tokens.md" %}

en/identity-server/7.0.0/docs/assets/img/guides/sample-key-string.png

@@ -0,0 +1 @@
+{% include "../../../../../../includes/guides/authentication/oidc/id-token-encryption-reference.md" %}

en/identity-server/7.0.0/docs/assets/img/guides/upload-sp-cert.png

@@ -31,6 +31,18 @@ With JWT Secured Authorization Response Mode, clients can request authorization
 
 - [JWT Secured Authorization Response Mode (JARM) for OAuth 2.0]({{base_path}}/guides/authentication/oidc/jarm/) has detailed instructions on this.
 
+## Encrypt ID tokens
+
+WSO2 Identity Server supports ID token encryption to enhance security in production environments.
+
+[Encrypt ID tokens]({{base_path}}/guides/authentication/oidc/oidc-token-encryption/) has detailed instructions on how to configure ID token encryption for your applications.
+
+## Decrypt encrypted ID tokens
+
+If you have enabled ID token encryption, you can decrypt the encrypted ID tokens to view the JSON values.
+
+[Decrypt encrypted ID tokens]({{base_path}}/guides/authentication/oidc/oidc-token-decryption/) has detailed instructions on how to decrypt ID tokens using a Java program.
+
 ## Validate ID tokens
 
 This section explains how the signature and the claims are verifieed in the ID token that is sent by WSO2 Identity Server to an application.

en/identity-server/7.0.0/docs/guides/authentication/oidc/encrypt-decrypt-id-tokens.md

@@ -0,0 +1,114 @@
+# Decrypt OpenID Connect encrypted ID tokens
+
+WSO2 Identity Server provides encrypted ID tokens to address security vulnerabilities in the production environment.
+
+- Unencrypted JWT ID tokens contain only two base64 encoded portions separated by a period (`.`).
+
+    ```xml
+    <header>.<body>
+    ```
+
+    The following is an example where unencrypted ID tokens contain only two base64 encoded portions separated by a period (`.`).
+
+    ```java
+    eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbGljZSIsImlzcyI6Imh0dHBzOlwvXC9jMmlkLmNvbSIsImlhdCI6MTQxNjE1ODU0MX0
+    ```
+
+- Encrypted ID tokens contain five base64 encoded portions separated by a period (`.`).
+
+    ```xml
+    <header>.<Encrypted_Key>.<Initialization_Vector>.<Ciphertext>.<Authentication_Tag>
+    ```
+
+    The following is an example where the encrypted ID token contains five base64 encoded portions separated by a period (`.`).
+
+    ```java
+    eyJ4NXQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJraWQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUlNBMV81In0.Zwp2xDvYER9lAo43QrYrcaKz-tPLFPYZb2s4RontDDVyvdo-seYl6II2C1Wb4cQhXdipcB_Qj093xvLrJyZXWxeavqYhryeuHi2jgcs59MfV1U9hMaKqqjVN1pcZYSrxDzn5leBF5bw7_YKaD_R6cFY8VtpVv5j_U8WohtyIjM7_n2CsZ55vY8MUHCAYxzXK9_s75e6Ug8L4MEqpgeoJGQzYCxFrBFgGyDMv1jadLwNl4Y3yLhv4RLtQMU5AM6nODI601UfYdrapObF3mpl_74H_YdRqT28LepGMtkEXbjeRgB-FiFGLvYlrK4wygczLBKrcviVyzyhrIrqz3TYV3g.Lf5lECzAdyAGgP8t.SHBUZoWkqwW_7u0GElrUqX1tewqRaUMWdGPHxpLRPmpVuc7FwQ27-kdsQ6O1_twhZ7uzjzZaEkatNhMxy9k10733-r4GT1lTGVqidKiBZq3mRQu7qJpcz7JWUroNFRLxhSoqpLpC8_tAhkohzG-mE42xdEh4tNDy3pBtAG0fe42WrLtWTuyg5lpmOYSppOc2Gb6LcDr4MmxFNPgoatF0edJSgO-CpFJQTcXn-22lU2g7o22x3RcBx9_KZH0At3g9y9uTuBncExOoBRK_ZweKOl0q76TaLiv5faXINW15xz9hILA.RGYIL7FaQqAIMPAiQdkOig
+    ```
+
+If you want to see the exact JSON values of the ID token, you have to decrypt it.
+
+The following is a simple Java program to decrypt the ID token using the default `wso2carbon.jks` keystore in WSO2 Identity Server.
+
+```java
+package org.wso2.sample;
+
+import com.nimbusds.jose.crypto.RSADecrypter;
+import com.nimbusds.jwt.EncryptedJWT;
+
+import java.io.InputStream;
+import java.security.KeyStore;
+import java.security.interfaces.RSAPrivateKey;
+
+public class DecryptIDToken {
+    public static void main(String[] args) throws Exception {
+
+        // Get keystore as a resource.
+        InputStream file = ClassLoader.getSystemResourceAsStream("wso2carbon.jks");
+        KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
+        keystore.load(file, "wso2carbon".toCharArray());
+
+        String alias = "wso2carbon";
+
+        // Get the private key. Password for the key store is 'wso2carbon'.
+        RSAPrivateKey privateKey = (RSAPrivateKey) keystore.getKey(alias, "wso2carbon".toCharArray());
+
+        // Enter encrypted JWT String here.
+        String encryptedJWTString = "eyJ4NXQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZp" +
+                "TVEiLCJraWQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJlbmMiOiJ" +
+                "BMjU2R0NNIiwiYWxnIjoiUlNBMV81In0.Zwp2xDvYER9lAo43QrYrcaKz-tPLFPYZb2s4RontDDVyvdo-seYl6II2C1Wb4cQhXd" +
+                "ipcB_Qj093xvLrJyZXWxeavqYhryeuHi2jgcs59MfV1U9hMaKqqjVN1pcZYSrxDzn5leBF5bw7_YKaD_R6cFY8VtpVv5j_U8Woh" +
+                "tyIjM7_n2CsZ55vY8MUHCAYxzXK9_s75e6Ug8L4MEqpgeoJGQzYCxFrBFgGyDMv1jadLwNl4Y3yLhv4RLtQMU5AM6nODI601UfY" +
+                "drapObF3mpl_74H_YdRqT28LepGMtkEXbjeRgB-FiFGLvYlrK4wygczLBKrcviVyzyhrIrqz3TYV3g.Lf5lECzAdyAGgP8t.SHB" +
+                "UZoWkqwW_7u0GElrUqX1tewqRaUMWdGPHxpLRPmpVuc7FwQ27-kdsQ6O1_twhZ7uzjzZaEkatNhMxy9k10733-r4GT1lTGVqidK" +
+                "iBZq3mRQu7qJpcz7JWUroNFRLxhSoqpLpC8_tAhkohzG-mE42xdEh4tNDy3pBtAG0fe42WrLtWTuyg5lpmOYSppOc2Gb6LcDr4M" +
+                "mxFNPgoatF0edJSgO-CpFJQTcXn-22lU2g7o22x3RcBx9_KZH0At3g9y9uTuBncExOoBRK_ZweKOl0q76TaLiv5faXINW15xz9h" +
+                "ILA.RGYIL7FaQqAIMPAiQdkOig";
+
+        EncryptedJWT jwt = EncryptedJWT.parse(encryptedJWTString);
+
+        // Create a decrypter with the specified private RSA key.
+        RSADecrypter decrypter = new RSADecrypter(privateKey);
+
+        jwt.decrypt(decrypter);
+
+        // Printing decrypted id token header.
+        System.out.println("ID token header: " + jwt.getHeader().toJSONObject());
+
+        // Printing decrypted id token header.
+        System.out.println("ID token claims: " + jwt.getJWTClaimsSet().toJSONObject());
+    }
+}
+```
+
+When encrypted ID tokens are produced, two encryption processes happen. First, a random Content Encryption Key (CEK) is generated. Then the payload is encrypted using this CEK and a symmetric encryption algorithm, which is called the encryption method. Then the CEK is encrypted again using the public key of the client and an asymmetric encryption algorithm, which is called the encryption algorithm.
+
+You can read more about these concepts in the [RFC 7516 specification](https://tools.ietf.org/html/rfc7516).
+
+You can configure the default values of the encryption method and encryption algorithm by making changes to the `<IS_HOME>/repository/conf/deployment.toml` file.
+
+```toml
+[oauth.oidc.id_token]
+supported_encryption_algorithms=["RSA1_5","RSA-OAEP"]
+supported_encryption_methods=["A128GCM","A192GCM","A256GCM","A128CBC-HS256","A128CBC+HS256"]
+```
+
+For encryption algorithm, WSO2 Identity Server currently supports the following algorithms:
+
+- RSA1_5
+- RSA-OAEP
+
+For encryption method, WSO2 Identity Server currently supports the following algorithms:
+
+- A128GCM
+- A192GCM
+- A256GCM
+- A128CBC-HS256
+- A128CBC+HS256
+
+!!! note
+    The default keystore shipped with WSO2 products is `wso2carbon.jks`. The password for the keystore is `wso2carbon` and the certificate alias is also `wso2carbon`. In a production environment, we recommend that you change these values.
+
+!!! info "Related topics"
+    - [Concept: ID Token]({{base_path}}/references/concepts/authentication/id-token/)
+    - [Guide: Encrypt ID tokens]({{base_path}}/guides/authentication/oidc/oidc-token-encryption/)