Azure B2C - Encrypt ID token

Question

Hi,

Would like to know if B2C Id Token can be encrypted ? What is the best way to do it ?

Thanks

Answer 1

Hello there,

When using Azure AD B2C (Business to Customer) for authentication and authorization in your application, the ID token is already encrypted by default. Azure AD B2C uses JSON Web Tokens (JWTs) for the ID token, which are digitally signed and can be encrypted as well.

However, by default, Azure AD B2C only signs the ID token, providing data integrity and authenticity, but not encryption. The ID token contains claims such as user identity information and other relevant data.

If you require additional confidentiality and encryption for the ID token contents, you have a couple of options:

Encrypt Claims within ID Token: Azure AD B2C supports the ability to encrypt individual claims within the ID token. You can configure specific claims to be encrypted using Azure AD B2C custom policies. This way, only the intended recipients with the decryption key can access the encrypted claims.

Use Encrypted ID Token Response Mode: Azure AD B2C supports response modes, and you can use the id_token+encrypted_response response mode to request an encrypted ID token as part of the authentication flow. This ensures that the entire ID token is encrypted, providing confidentiality for all the claims within it.

To implement these encryption options, you will need to configure custom policies in Azure AD B2C. Custom policies allow you to modify and extend the default behavior of Azure AD B2C and implement advanced authentication and authorization scenarios.

I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer–