I looked for this information all over Knowledge Center, but couldn't find the answer.
In OIDC, I would like to encrypt a field (claim) in JWT.
I use the PreToken Mapping Rule, to get the value I need to encrypt, e.g. credCreditCard
How do I encrypt it, and have the OP (Provider) generate a valid token?

Likewise, If I implement the Relying Party, how to I decrypt the credCreditCard?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Hi Joao,

Verify Access doesn't have in-built support to encrypt individual attributes - it supports the encryption of the entire JWT (using nested JWT).  I don't think the JWT spec supports individual attribute encryption (unless you can tell me different).

Encryption of the JWT is supported both for standalone use of the JWT token module in STS (configured in JWT module properties) or when using OpenID Connect (configured in OpenID connect properties of definition).

If you want to encrypt an individual attribute that would need to be done independently of the JWT creation.  You'd have create some kind of encrypted object and then set as a claim value to be included in the JWT.  Verify Access doesn't provide generic crypto libraries in JavaScript (at least I don't think it does) so this would be non-trivial... You'd have to import "raw" JavaScript libraries or call out to an external service to perform the crypto.  Same would be true for decryption.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Mon October 19, 2020 07:17 AM
From: Joao Goncalves
Subject: JWT encrypt/decrypt

I looked for this information all over Knowledge Center, but couldn't find the answer.
In OIDC, I would like to encrypt a field (claim) in JWT.
I use the PreToken Mapping Rule, to get the value I need to encrypt, e.g. credCreditCard
How do I encrypt it, and have the OP (Provider) generate a valid token?

Likewise, If I implement the Relying Party, how to I decrypt the credCreditCard?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

How can I import a library into ISAM to be accessible to the Mapping Rules?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: Mon October 19, 2020 07:52 AM
From: Jon Harry
Subject: JWT encrypt/decrypt

Hi Joao,

Verify Access doesn't have in-built support to encrypt individual attributes - it supports the encryption of the entire JWT (using nested JWT).  I don't think the JWT spec supports individual attribute encryption (unless you can tell me different).

Encryption of the JWT is supported both for standalone use of the JWT token module in STS (configured in JWT module properties) or when using OpenID Connect (configured in OpenID connect properties of definition).

If you want to encrypt an individual attribute that would need to be done independently of the JWT creation.  You'd have create some kind of encrypted object and then set as a claim value to be included in the JWT.  Verify Access doesn't provide generic crypto libraries in JavaScript (at least I don't think it does) so this would be non-trivial... You'd have to import "raw" JavaScript libraries or call out to an external service to perform the crypto.  Same would be true for decryption.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon October 19, 2020 07:17 AM
From: Joao Goncalves
Subject: JWT encrypt/decrypt

I looked for this information all over Knowledge Center, but couldn't find the answer.
In OIDC, I would like to encrypt a field (claim) in JWT.
I use the PreToken Mapping Rule, to get the value I need to encrypt, e.g. credCreditCard
How do I encrypt it, and have the OP (Provider) generate a valid token?

Likewise, If I implement the Relying Party, how to I decrypt the credCreditCard?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Joao,

To be clear, you can't import Java libraries into ISAM mapping rules.  However, you can import one JavaScript mapping rule into another by using this syntax:

importMappingRule("anotherMappingRuleName");

So, if you identify a JavaScript crypto library, you would then need to import the JavaScript content into mapping rules which could then be "imported" into your main JavaScript mapping rules (or token mapping rules).  Like I said, this is non-trivial.  You'd have to somehow manage crypto keys etc. too.  I'm not sure I recommend it.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Mon October 19, 2020 08:03 AM
From: Joao Goncalves
Subject: JWT encrypt/decrypt

How can I import a library into ISAM to be accessible to the Mapping Rules?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Mon October 19, 2020 07:52 AM
From: Jon Harry
Subject: JWT encrypt/decrypt

Hi Joao,

Verify Access doesn't have in-built support to encrypt individual attributes - it supports the encryption of the entire JWT (using nested JWT).  I don't think the JWT spec supports individual attribute encryption (unless you can tell me different).

Encryption of the JWT is supported both for standalone use of the JWT token module in STS (configured in JWT module properties) or when using OpenID Connect (configured in OpenID connect properties of definition).

If you want to encrypt an individual attribute that would need to be done independently of the JWT creation.  You'd have create some kind of encrypted object and then set as a claim value to be included in the JWT.  Verify Access doesn't provide generic crypto libraries in JavaScript (at least I don't think it does) so this would be non-trivial... You'd have to import "raw" JavaScript libraries or call out to an external service to perform the crypto.  Same would be true for decryption.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon October 19, 2020 07:17 AM
From: Joao Goncalves
Subject: JWT encrypt/decrypt

I looked for this information all over Knowledge Center, but couldn't find the answer.
In OIDC, I would like to encrypt a field (claim) in JWT.
I use the PreToken Mapping Rule, to get the value I need to encrypt, e.g. credCreditCard
How do I encrypt it, and have the OP (Provider) generate a valid token?

Likewise, If I implement the Relying Party, how to I decrypt the credCreditCard?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

As Jon said, it must be a javascript library. I typically use the KJUR library, or JSCrypto. You create a mapping rule all on it's own with the library, and import that into your other mapping rules. I wrote a little about how to get the KJUR library to work as a mapping rule in this article https://www.ibm.com/blogs/sweeden/using-custom-access-tokens-in-the-isam-oauth-server/

There is a small trick to using it as an ISAM JS mapping rule because it typically expects to be run in a browser where there is a "navigator" object in context.

------------------------------
Shane Weeden
IBM
------------------------------

Original Message:
Sent: Mon October 19, 2020 08:03 AM
From: Joao Goncalves
Subject: JWT encrypt/decrypt

How can I import a library into ISAM to be accessible to the Mapping Rules?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Mon October 19, 2020 07:52 AM
From: Jon Harry
Subject: JWT encrypt/decrypt

Hi Joao,

Verify Access doesn't have in-built support to encrypt individual attributes - it supports the encryption of the entire JWT (using nested JWT).  I don't think the JWT spec supports individual attribute encryption (unless you can tell me different).

Encryption of the JWT is supported both for standalone use of the JWT token module in STS (configured in JWT module properties) or when using OpenID Connect (configured in OpenID connect properties of definition).

If you want to encrypt an individual attribute that would need to be done independently of the JWT creation.  You'd have create some kind of encrypted object and then set as a claim value to be included in the JWT.  Verify Access doesn't provide generic crypto libraries in JavaScript (at least I don't think it does) so this would be non-trivial... You'd have to import "raw" JavaScript libraries or call out to an external service to perform the crypto.  Same would be true for decryption.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon October 19, 2020 07:17 AM
From: Joao Goncalves
Subject: JWT encrypt/decrypt

I looked for this information all over Knowledge Center, but couldn't find the answer.
In OIDC, I would like to encrypt a field (claim) in JWT.
I use the PreToken Mapping Rule, to get the value I need to encrypt, e.g. credCreditCard
How do I encrypt it, and have the OP (Provider) generate a valid token?

Likewise, If I implement the Relying Party, how to I decrypt the credCreditCard?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------