Website with Encrypted ID Tokens

Website with Encrypted ID Tokens

Advanced Security
Download on GitHub
On this page


In this tutorial we will show how to use the Curity Identity Server and JSON Web Encryption (JWE) to protect ID tokens that contain Personally Identifiable Information (PII). The web app must be a confidential client, where a back end component manages the private key used for decryption. See the Encrypted ID Tokens article for further details on how encrypted ID tokens are used.

The code example provides a Spring Boot website developed with Kotlin, though the same techniques could be applied to any other back end technology. The same solution is possible for a Single Page Application (SPA) that uses a Backend for Frontend (BFF) approach, such as the Token Handler Pattern.

Create Encryption Keys

First get the code by cloning the GitHub repository, then run the supplied helper script, which will create public and private keys that are used for encryption:


This will result in the following two main files being generated for testing:

client.pubA public key that will be deployed to the Identity Server and used to encrypt ID tokens
client.p12A PKCS12 file that will be loaded into a keystore within the website, then used to decrypt ID tokens


Curity Identity Server is used in this example, but other OAuth servers can also be used.

Configure the Curity Identity Server

Import the file called via the facilities menu in the top right of the Admin UI and select the asymmetric key option when prompted. No password is needed since this is only a public key:

Encryption Public Key

Next navigate to Profiles / Token Service / General and enable the use of ID token encryption, then select the following as whitelisted algorithms:

Encrypted ID Tokens Enabled

Then create a standard web client that uses the code flow with a client secret, and also activate encrypted ID tokens under the OpenID Connect settings:

Client ID Tokens Enabled

Set the following OpenID Connect settings and note that the Spring Boot app will receive responses on these URLs, then use claims from the profile scope to present the user name.

Redirect URIhttp://localhost:8080/login/oauth2/code/curity
Post Logout Redirect URIhttp://localhost:8080/
Scopeopenid profile

The full XML for the web client is shown below:


Build the Code

The code example is based on the OpenID Connect Client with Spring Security, and implements the Code Flow. Open the project in an IDE of your choice, then ensure that the website's OAuth settings match those of your environment:

client-id: website-client
client-secret: Password1
authorization-grant-type: authorization_code
redirect-uri: "{baseUrl}/login/oauth2/code/curity"
scope: openid, profile
issuer-uri: https://localhost:8443/oauth/v2/oauth-anonymous

Ensure that Java 8 or later and Maven are installed, then run the following commands to build and run the app, which will listen on port 8080 by default:

mvn package
java -jar target/example-website-0.0.1-SNAPSHOT.jar

Run the Web Client

The website application has a minimal UI, so that the focus is only on working with encrypted ID tokens. Browse to http://localhost:8080, which is an unsecured home page that prompts the user to sign in:

Unauthenticated View

After authentication the app displays the user's name by rendering claims received in the ID token, then shows a logout link:

Authenticated View

OAuth Customization

Some OAuth security libraries used by web clients do not yet support JSON Web Encryption. At the time of writing this includes Spring Boot, but we can use Spring's extensibility features to customize handling of responses from the token endpoint. This results in the following web security configuration, where a custom handler is used to process responses from the token endpoint:

class OAuth2SecurityConfig : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {

A utility Token Response Converter then manages updating the token response with Signed JWT that is extracted from the ciphertext of the Nested JWT. A little boiler plate code is needed, not all of which is shown in the below code snippet. The Spring Security processing then continues in the standard way, to digitally verify the signed JWT:

class CustomTokenResponseConverter : Converter<Map<String?, String?>?, OAuth2AccessTokenResponse?> {
override fun convert(tokenResponseParameters: Map<String?, String?>): OAuth2AccessTokenResponse {
var idToken = tokenResponseParameters["id_token"]
if (idToken != null) {
idToken = JweDecryptor().decrypt(idToken);
val extraParams = mapOf("id_token" to idToken)
return OAuth2AccessTokenResponse

To manage the JSON Web Encryption the code example first gets a private key object by loading a password protected PKCS12 file into a keystore. The jose4j security library is then used to perform the JWE decryption, which only requires a few lines of code:

class JweDecryptor {
fun decrypt(encryptedJwt: String): String {
val privateKey = loadPrivateKey()
val jwe = JsonWebEncryption()
jwe.key = privateKey
jwe.compactSerialization = encryptedJwt
return jwe.plaintextString

From this point onwards the application works with an ID token that is the inner JWT of the nested JWT. The example demonstrates this by rendering the given_name and family_name claims from the ID token:

class UserController {
fun index(): String {
return "index"
fun user(
model: Model,
@AuthenticationPrincipal oidcUser: OidcUser
): String {
"${oidcUser.idToken.givenName} ${oidcUser.idToken.familyName}")
return "user"


The website also provides a basic OpenID Connect logout capability, but is careful not to send the decrypted ID token in the front channel and reveal PII. This is done by implementing a custom logout handler that omits the id_token_hint field mentioned in OpenID Connect RP Initiated Logout.


Web clients can use encrypted ID tokens if there are reasons for keeping Personally Identifiable Information confidential. This may not always work automatically with the web client's chosen technology stack, though these can be customized via a JOSE compliant library that supports JSON Web Encryption. The web app can then continue to use ID token information in the standard way.