We have PR for introducing encryption support for OIDC ID Tokens. See
 and .
IMO The PR is great contribution and is quite complete. There is support
for manage encryption keys through the REST API or through the OIDC
client registration, which is probably sufficient for have the OIDC FAPI
support happy. However one thing, which seems to be missing, is better
admin console support for seeing and managing the encryption keys of the
Regarding the admin console, the PR just introduces 2 new options for
the client for choosing the algorithms for encryption of ID Tokens.
For more details, admin console doesn't have support for "hardcode" the
client encryption key/certificate. It has support for downloading the
key from the client's JWKS URL, but the JWKS URL is configured on the
bit strange place. Right now, it is configured under tab "Credentials",
then you need to choose "Signed-JWT" and then you can configure the JWKS
URL. This was OK, when only point of JWKS URL was used just for
signed-jwt client authentication. But now with adding the encrypted ID
tokens support, this is not very appropriate place IMO. For example if
you want to use encrypted ID Tokens together with traditional client
authentication based on clientId/clientSecret, you shouldn't be required
to go to "Credentials -> Signed JWT Authenticator" at all.
So not sure, if we shoud do some small re-design of admin console now?
For example, for SAML clients, there is tab "SAML Keys" where you can
see/generate/import/export keys used for SAML. I can imagine something
like that for OIDC clients too. We can introduce tab "OIDC Keys" or just
"Keys" . That will allow to have switch "Use JWKS URL" and then
configure JWKS URL (optional) or alternatively the client keys used for
SIG and ENC, which will be required just if "Use JWKS URL" is OFF
similarly like it is currently in the "Credentials -> Signed JWT". Then
in the tab "Credentials -> Signed JWT", there will be just info that you
need to configure JWKS URL or Signing key in the tab "Keys" - so no
configuration options on this page. Similarly the tooltips for the new
options for ID Token support will contain the tooltip, that you should
configure JWKS URL or "hardcode" encryption key in the tab "Keys" .
The bonus point will be the possibility to view the keys downloaded from
JWKS URL and the ability to invalidate the keys of the individual client
from the cache (currently it's possible to invalidate just globally for
the whole realm AFAIK).
TBH I am not sure whether to add admin console support in this PR or
have the follow-up PR.