fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard

Published 20 hours ago verified publisher icon FusionAuth

OAuth2 JWT access token support Signing but do not support Encryption.

Open wovvtech opened this issue 4 years ago • 1 comments

OAuth2 JWT access token encryption after sign the JWT

Problem

I am presently using the Fusion Auth and it is very good product. I am using the OAuth access token which is in the form of JWT. This JWT access token is only signed by some algorithm and not encrypted. So by decoding, we can see the payload part of the JWT token. So after signing the access token if there is an option encrypt and it using some symmetric key or private and public key, then it will be more secure. If it has option for the user-specific encryption key then it is more secure.

Solution

To solve this we can use the symmetric key algorithm for encryption and decryption and the key is unique for each user, then it is the best option. We can even use one pair of a public key and private key, then also it is good and makes our JWT access token more secure.

wovvtech avatar Jan 01 '20 06:01 wovvtech

This article is a good overview of JWE options: https://www.scottbrady91.com/jose/json-web-encryption

mooreds avatar Aug 18 '22 13:08 mooreds