Skip to content

Encrypt ID Tokens

This page guides you through configuring token encryption for ID tokens.

Register a service provider

To register your application as a service provider in the MWARE IAM:

  1. Log in to the MWARE IAM Management Console using administrator credentials.

  2. Go to Main > Identity > Service Providers > Add.

  3. Enter a Service Provider Name. Optionally, enter a Description.

  4. Click Register.

Configure the service provider

Make the following changes to the created service provider.

  1. Expand Inbound Authentication Configuration > OAuth/OpenID Connect Configuration and click Configure.

  2. Enter the Callback Url.


    The Callback Url is the exact location in the service provider's application to which an access token will be sent. This URL should be the URL of the page that the user is redirected to after successful authentication.

  3. Click Enable ID Token Encryption to enable id_token encryption.

    Once you enable id_token encryption, two select boxes will be visible to choose your preferred encryption algorithm and encryption method.

    • Encryption Algorithm: Asymmetric encryption algorithm that is used to encrypt the Content Encryption Key (CEK), using the public key of the service provider.

    • Encryption Method: Symmetric encryption algorithm that is used to encrypt the JWT claims set using the CEK.

    Leave these values as they are if you do not have any specific requirements.

  4. Click Add


To configure more advanced configurations, see OAuth/OpenID Connect Configurations.

Configure the public certificate

The following steps describe how to configure a service provider public certificate.

  1. Create a new keystore.

    keytool -genkey -alias wso2carbon -keyalg RSA -keysize 2048 -keystore testkeystore.jks -dname "CN=*,OU=test,O=test,L=MPL,ST=MPL,C=FR" -storepass wso2carbon -keypass wso2carbon -validity 10950
  2. Create a file and name it as the client ID of the OAuth application service provider. Export the public key of the new keystore to the file you created.

    keytool -export -alias wso2carbon -file <client-id> -keystore testkeystore.jks
  3. Get the cert in X509 format.

    keytool -printcert -rfc -file <client-id>

    You will see the public certificate in X509 format in the console.

  4. Copy the content of the certificate. A sample output is shown below.

    -----END CERTIFICATE-----
  5. Click Service Providers > List and Edit the service provider you created.

  6. Select Upload SP Certificate under Select SP Certificate Type.

  7. Paste the certificate content copied in step 4 as the Application Certificate.

    Upload SP certificate


    Instead of uploading the service provider certificate as shown above, you can choose to use the JWKS enpoint as shown below and add the relevant JWKS URI.


  8. Click Update.

Try it

This section guides you through obtaining an encrypted ID token and decrypting it using the MWARE IAM playground sample application. Alternatively, you can use a simple java program to decrypt the token. For instructions, see Decrypt the ID token.

  1. See OAuth Grant Types and try out one of the grant types with the openid scope to obtain an access token.

  2. You will recieve an access token and an encrypted ID token.

  3. To decrypt the ID token, provide the private key of the client.

    1. Import JKS into a PKCS12 formatted store.

      keytool -importkeystore -srckeystore testkeystore.jks -destkeystore testkeystore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass wso2carbon -deststorepass wso2carbon -srcalias wso2carbon -destalias wso2carbon -srckeypass wso2carbon -destkeypass wso2carbon
    2. Extract the private key into a file named key.pem.

      openssl pkcs12 -in testkeystore.p12 -out key.pem -passin pass:wso2carbon -passout pass:wso2carbon -nodes -nocerts
    3. Open the created key.pem file using a text editor and you will see the extracted private key.

    4. Copy only the key string as shown in the sample below.


    5. Paste the copied private key in the Client Private Key text area.

    6. Click Decrypt and the details of the decrypted ID Token will be displayed.