Encrypted-jwt (Section)#
Path: /profiles/profile/settings/authorization-server/request-object/encrypted-jwt
The request object JWT must be encrypted and signed
Parameters#
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| decryption-key | leafref → /base:facilities/base:crypto/base:decryption-keys/base:decryption-key/base:id | required | - | A reference to a Decryption Keystore with a key |
| allowed-algorithms | multi-value enumeration (RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW, A256GCMKW) | optional | - | Key Management Algorithm - the algorithm used to obtain the Content Encryption Key, and present in the ‘alg’ JWE header. If empty, any supported algorithm is allowed. |
| allowed-content-encryption-algorithms | multi-value enumeration (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, A192GCM, A256GCM) | optional | - | Content Encryption Algorithm - the algorithm used to obtain the content, and present in the ‘enc’ JWE header If empty, any supported algorithm is allowed |
| front-channel-only | boolean | optional | false | Whether encrypted request objects should only be required for front-channel requests to the authorization endpoint. When enabled, request objects must be encrypted for front-channel requests, and may or may not be encrypted for back-channel requests. When disabled, request objects must always be encrypted. |
| include-x5t-in-jwks | boolean | optional | true | Indicate whether to include the certificate thumbprint (‘x5t’) in the JWKS endpoint |
| include-x5c-in-jwks | boolean | optional | false | Indicate whether to include the certificate (‘x5c’) in the JWKS endpoint |