Encrypt JWT Token returned to JS client

[asunilkutty]

We have implemented an implicit client workflow, to provide a AngularJS application with an OAuth Token. In this setup Thinktecture Authorization Server is protected using ADFS and user sees the ADFS logon challenge screen. And after successful login the browser is redirected to Thinktecture and a JWT token is produced and this is sent to the original application that requested it.

This JWT token that is produced by AS can it be encrypted on server side and decrypted on the AngularJS Client? If not can parts of this JWT token be encrypted?

[brockallen]

The JWT spec says this is allowed, but the Microsoft implementation does not implement it.

What are you looking to do? If you're trying to have the Angular client know the contents of the token, then OAuth is not the protocol for that -- OpenID Connect is.

[asunilkutty]

We want to be able to read some parts of the content like the name of the user that logged in and use that display a welcome message on the Angular page. But we will also have other information in the token like the network login id and other claims that on the client side need not be read and will be only used on the server side to perform application functionality and should be decrypted on the server side.

Can this be achieved using Open ID Connect protocol?

[brockallen]

Yes. You'll want to use IdentityServer v3 for this (not AuthorizationServer): https://github.com/thinktecture/Thinktecture.IdentityServer.v3/

[asunilkutty]

Thanks for the response.

I looked into Identity Server V3 and was not sure if it is ready for production use. When I looked at it, to me seemed like support database is not their yet and I was wondering how we could configure it per relying party. I also had some issues configuring it with ADFS. I can probably take a look at it to see if can configure it correclty.

Also, I am assuming in this case that the login page will be provided by Thinktecture Identity Server and ADFS will be setup as a federated party and will handle the production of JWT token for the consuming application.

[brockallen]

We're closer to release now (Jan 2015). And yes, you'd configure ADFS as an external IdP. If it's the only IdP then the login page will automatically redirect to ADFS.