Testing OIDC Encrypted ID Token with IS

This page describes how you can configure and test OIDC Encrypted ID Token with Identity Server.

Setup Playground Sample

First, you should setup the Playground sample app.

Configuring the service provider

The next step is to configure the service provider.

Configuring Service Provider Public Certificate

The following steps describe how to configure a service provider public certificate:

Execute the following command from the <IS_HOME>/repository/resources/security directory to create a new keystore:

keytool -genkey -alias wso2carbon -keyalg RSA -keysize 2048 -keystore testkeystore.jks -dname "CN=*.test.com,OU=test,O=test,L=MPL,ST=MPL,C=FR" -storepass wso2carbon -keypass wso2carbon -validity 10950

Execute the following command to export the public key of the new keystore to a file, named with the client-id of the OAuth application.
```
	keytool -export -alias wso2carbon -file testPublicCert.crt -keystore testkeystore.jks
```
This prompts for the keystore password.
Enter wso2carbon as the password.
Execute the following command to retrieve the certificate in X509 format:
```
keytool -printcert -rfc -file testPublicCert.crt
```
You will see the public certificate in X509 format on the terminal.
Copy the content of the certificate.
On the Management Console, go to Service Providers -> List, and Edit the service provider that you created when setting up the playground sample.
Paste the certificate content that you copied as the Application Certificate of the service provider.
Click Update.

Enable ID Token Encryption

Follow the below steps to enable ID Token Encryption:

Navigate to Service Provider > Inbound Authentication Configuration > OAuth/OpenID Connect Configuration and Click Edit.
Click Enable ID Token Encryption to enable id_token encryption. Once you enable id_token encryption, two select boxes will be visible to choose your preferred encryption algorithm and encryption method.
- Encryption Algorithm: Asymmetric encryption algorithm that is used to encrypt the Content Encryption Key (CEK), using the public key of the service provider.
- Encryption Method: Symmetric encryption algorithm that is used to encrypt the JWT claims set using the CEK.
Leave these values as they are since you do not have special requirements.

Testing the flow - Authorization Code Grant Type

Visit the URL http://wso2is.local:8080/playground2/oauth2.jsp to start the application.
Enter the following details and click Authorize.
- Authorization Grant Type: Authorization Code
- Client ID: (the client id received at the application registration step in Identity Server)
- Scope:openid (This scope is a requirement to provide user information. Any token without this scope will not be allowed to access user information.)
- Callback URL:http://wso2is.local:8080/playground2/oauth2client
- Authorize Endpoint:https://localhost:9443/oauth2/authorize
Sign in with the user credentials.
Click Approve to consent to this action.
Provide the following details and click Get Access Token.
- Callback URL: http://wso2is.local:8080/playground2/oauth2client
- Access Token Endpoint: https://localhost:9443/oauth2/token
- Client Secret: (client secret received at the application registration)
At this point, the application receives the Access Token and Encrypted ID Token.
In order to decrypt the ID Token, you need to provide the private key of the client.
Click here to know how to Obtain the Service Provider Private Key
1. Import JKS into a PKCS12 formatted store.
  
  keytool -importkeystore -srckeystore testkeystore.jks -destkeystore testkeystore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass wso2carbon -deststorepass wso2carbon -srcalias wso2carbon -destalias wso2carbon -srckeypass wso2carbon -destkeypass wso2carbon
2. Extract the private key into a file named “key.pem”.
  
  openssl pkcs12 -in testkeystore.p12 -out key.pem -passin pass:wso2carbon -passout pass:wso2carbon -nodes -nocerts
3. Open the created key.pem file using a text editor and you will see the extracted private key.
4. Copy only the key string as shown in the below sample.
Paste the copied private key in Client Private Key text area.
Click Decrypt and the decrypted ID Token details will be displayed.

Testing the flow - Implicit Grant Type

Before you begin, you must first set up the sample webapp.
Visit the URL http://wso2is.local:8080/playground2/oauth2.jsp to start the application.
Enter the following details and click Authorize.
- Authorization Grant Type: Implicit
- Client ID: (the client id received at the application registration step in Identity Server)
- Scope:openid (This scope is a requirement to provide user information. Any token without this scope will not be allowed to access user information.)
- Callback URL: http://wso2is.local:8080/playground2/oauth2client
- Authorize Endpoint: https://localhost:9443/oauth2/authorize
Sign in with the user credentials.
Click Approve to consent to this action.
At this point, the application receives the Access Token and the encrypted ID Token.
In order to decrypt the ID Token, you need to provide the private key of the client.
Click here to know how to Obtain the Service Provider Private Key
1. JKS into a PKCS12 formatted store.
  keytool -importkeystore -srckeystore testkeystore.jks -destkeystore testkeystore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass wso2carbon -deststorepass wso2carbon -srcalias wso2carbon -destalias wso2carbon -srckeypass wso2carbon -destkeypass wso2carbon
2. Extract the private key into a file named “key.pem”.
  openssl pkcs12 -in testkeystore.p12 -out key.pem -passin pass:wso2carbon -passout pass:wso2carbon -nodes -nocerts
3. Open the created key.pem file using a text editor and you will see the extracted private key.
4. Copy only the key string as shown in the below sample.
Paste the copied private key in Client Private Key text area.
Click Decrypt and the decrypted ID Token details will be displayed.

Testing the flow - Password Grant Type

Before you begin, you must first set up the sample webapp.
Visit the URL http://wso2is.local:8080/playground2/oauth2.jsp to start the application.
Enter the following details and click Authorize.
- Authorization Grant Type: Resource Owner
- Client ID: (the client id received at the application registration step in Identity Server)
- Client Secret: (the client secret received at the application registration)
- Resource Owner User Name: (username)
- Resource Owner Password: (password of user)
- Scope:openid (This scope is a requirement to provide user information. Any token without this scope will not be allowed to access user information.)
- Access Token Endpoint: https://localhost:9443/oauth2/ token
At this point, the application receives the Access Token and the encrypted ID Token.
In order to decrypt the ID Token, you need to provide the private key of the client.
Click here to know how to Obtain the Service Provider Private Key
1. JKS into a PKCS12 formatted store.
  keytool -importkeystore -srckeystore testkeystore.jks -destkeystore testkeystore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass wso2carbon -deststorepass wso2carbon -srcalias wso2carbon -destalias wso2carbon -srckeypass wso2carbon -destkeypass wso2carbon
2. Extract the private key into a file named “key.pem”.
  openssl pkcs12 -in testkeystore.p12 -out key.pem -passin pass:wso2carbon -passout pass:wso2carbon -nodes -nocerts
3. Open the created key.pem file using a text editor and you will see the extracted private key.
4. Copy only the key string as shown in the below sample.
Paste the copied private key in Client Private Key text area.
Click Decrypt and the decrypted ID Token details will be displayed.