Description

The OIDC Core Specification recommends to decrypt the ID Token if it's encrypted:

If the ID Token is encrypted, decrypt it using the keys and algorithms that the Client specified during Registration that the OP was to use to encrypt the ID Token. If encryption was negotiated with the OP at Registration time and the ID Token is not encrypted, the RP SHOULD reject it.

AFAIK, JWE are not often used. But as Symfony supports OIDC feature (experimentally), it could be interesting to support JWE. It concerns only OidcTokenHandler.

Question: should it be a new feature or a bugfix (as it's part of the Core Specification)?

Example

To decrypt a JWE, a public JWK is required. Hopefully, it is available on /certs endpoint on OIDC server, so we can import it dynamically (cf. #50434).

security:
  firewalls:
    main:
      oidc:
        # add new "encryption" option
        encryption:
          # proposal 1: same approach than "signature.key" option, the JWK is set here as JSON string
          key: '{"kid": "...","kty": "RSA","alg": "RS256","use": "sig","n": "3G..."}'
          # proposal 2: detect value is an URI, call it to import the JWK
          key: 'https://www.example.com/protocol/openid-connect/certs'
          # proposal 3: add "certs" option non combinable with "key" to import and set "key" option dynamically
          certs: 'https://www.example.com/protocol/openid-connect/certs'