7,023 questions
How to enable id token encryption in JWT token while using v2 endpoint?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 91%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGY%3C/text%3E%3C/svg%3E)
Gray Yeung
0
Reputation points
Hello,
As I followed https://github.com/AzureAD/microsoft-identity-web/wiki/Token-Decryption step by step, but I cannot make it worked. Even though I configure the certificate and the manifest in the app registration, Azure still send me the base64 encoded token, not an encrypted token.
- I did upload the certificate to Microsoft Entra and saw the related info appear in the keyCredentials blocks in the manifests.
- Maybe RSA? Because we are using the public key provided by Microsoft. We can get the key ID from the returned JWT header.
- Screenshot as below. not sure if this is what you want. After accessing the url, browser will redirect me to microsoft login page and I input email and passwd, then microsoft will post the rediectURL with JWT token.
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft Security | Microsoft Entra | Microsoft Entra ID
25,089 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 51%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator2024-10-16T04:42:57.5433333+00:00 Hi, Gray Yeung
Thank you for reaching out. We are currently working on this and will update you shortly.
-
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator
2024-10-22T05:44:31.7+00:00 Hi @Gray Yeung
Thank you for posting your query on Microsoft Q&A.
I understand that you are following the steps correctly to enable ID token encryption with Azure AD, but you're still receiving a regular JWT instead of an encrypted token.
Here are few steps to resolve the issue:
1.Check Token Configuration in Azure Portal
App Registration: Ensure that you have enabled ID token encryption in the app registration settings.
Manifest: Verify that the key Credentials in the manifest include the correct certificate and that it is marked as end Date not expired.
2.Client ID and Key ID Matching
Ensure that the kid (Key ID) in the JWT header corresponds to the certificate you've uploaded to Azure AD.
The public key should match the private key used to encrypt the token.
Hope this helps. Do let us know if still problem persists.
Thanks,
B. Siri Chandana.
-
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator
2024-10-23T04:07:16.11+00:00 Hi @Gray YeungJust checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
-
Gray Yeung 0 Reputation points
2024-10-23T04:32:21.5833333+00:00 Thanks for your info.
My teammate is checking based on your suggestion.
@Yuri Liang -
Gray Yeung 0 Reputation points
2024-10-23T04:34:02.2766667+00:00 <removed>
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 4%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYL%3C/text%3E%3C/svg%3E)
Yuri Liang 5 Reputation points2024-10-23T08:44:35.14+00:00 Thanks @Gray Yeung for posting this question.
Hi @Bandela Siri Chandana , thanks for your suggestions.
For "Enable ID Token Encryption", as I can find, it should be
Am I right?
For "Ensure that the kid (Key ID) in the JWT header corresponds to the certificate you've uploaded to Azure AD.", can you kindly provide a step by step guide? I've used a script to generate a kid from the self-signed certificate. But I cannot find the place to fill the kid in.
Looking forward to your answer ! Thanks in advanced!
Sign in to comment
Sign in to answer