The company I work for is considering is considering ORY Hydra to replace our current OIDC/OAuth2 server. However, one of the IDPs we must support has very strict requirements for full message-level encryption, as well as transport-level encryption. This demand does not only apply to communication between us (identity broker) and their IDP, but it extends to the communication between the end-user and us.
With our current server we are able to implement this in a manner which we are confident fulfils the demands of the IDP: (since I can’t post links I will refer to sections from https://openid.net/specs/openid-connect-core-1_0.html)
- Passing Request Parameters as JWTs - " to enable Authentication Requests to be signed and optionally encrypted"
- ID Token - " ID Tokens MUST be signed using JWS and optionally both signed and then encrypted using JWS and JWE respectively"
- 5.3.2. Successful UserInfo Response - “The UserInfo Claims MUST be returned as the members of a JSON object unless a signed or encrypted response was requested during Client Registration”
Our current implementation allows us to enforce these settings on a per-client basis.
Does ORY Hydra currently support these parts of the OIDC core specs? In fact, does ORY Hydra have full coverage of the OIDC core specs?
PS: The reasons we are changing OIDC server is not directly related to this issue, but any new OIDC/OAuth2 implementation needs to have full feature coverage of our current implementation.