Token Decryption

WIP: work in progress...

As a developer of a protected web API accepting v2 tokens, I can demand my clients to acquire Encrypted tokens to call my web API

Why would a web API developer want their web API to receive encrypted tokens?

When a client application requests an access token on behalf of a user to call a web API, the client app developer could be tempted to crack-open the token (even if we discourage them to do so), and therefore get access to claims about the user, which we (or the web API developer) would not want the client app to know about. This is a question of privacy, for instance, we don't want claims like the ageGroup, or the puid (MSA), or even the hardware id (HWID) to leak.

Therefore, web APIs can request encrypted tokens. The Encrypted Web token standard (JWE) provides a solution to this problem.

TokenDecryption Certificates

In the registration of the web API, you can add a decrypt certificate (sharing the public key with Azure AD), and your application has the corresponding private key. While still in the app registration, you can direct Azure AD to encrypt tokens with the decrypt certificate that you provided.

When the client receives the access token, it will be encrypted (meaning the client cannot open it).

When the web API receives the encrypted access token from the client, it uses the decrypt certificate to decrypt the access token and validate the claims.