Secret IDs
Identity Cloud uses these IDs to match secrets for access management signing and encryption with the aliases of the secrets in the secret store. Expand the categories for additional information.
For instructions on using these secret IDs, refer to Use ESVs for signing and encryption keys.
OAuth 2.0 and OpenID Connect provider secrets
Encrypt client-side OAuth 2.0 tokens
This table shows the ID for the secret to encrypt client-side access tokens:
| Secret ID | Algorithms |
|---|---|
|
A128CBC-HS256 |
Sign client-side OAuth 2.0 tokens
This table shows the IDs for the secrets to sign client-side access tokens:
| Secret ID | Algorithms |
|---|---|
|
ES256 |
|
ES384 |
|
ES512 |
|
HS256 |
|
PS256 |
Sign remote consent requests
This table shows the IDs for the secrets to sign remote consent requests:
| Secret ID | Algorithms |
|---|---|
|
ES256 |
|
ES384 |
|
ES512 |
|
RS256 |
If you select an HMAC algorithm for signing consent requests (HS256, HS384, or HS512),
Identity Cloud uses the Remote Consent Service secret, not an entry from the secret store.
Decrypt remote consent responses
This table shows the ID for the secret to decrypt remote consent responses:
| Secret ID | Algorithms |
|---|---|
|
RSA-OAEP-256 |
If you select an algorithm other than RSA-OAEP-256 for decrypting consent responses, Identity Cloud uses the Remote Consent Service secret, not an entry from the secret store.
OAuth 2.0 example remote consent service
This table shows the IDs for the secrets for the example remote consent service:
| Secret ID | Algorithms |
|---|---|
|
RS256 |
|
RSA-OAEP-256 |
Decrypt OIDC request parameters
This table shows the IDs for secrets to decrypt OIDC request parameters:
| Secret ID | Algorithms |
|---|---|
|
RSA with PKCS#1 v1.5 padding |
|
RSA with OAEP with SHA-1 and MGF-1 |
|
RSA with OAEP with SHA-256 and MGF-1 |
For confidential clients,
if you select an AES algorithm (A128KW, A192KW, or A256KW) or the direct encryption algorithm (dir),
Identity Cloud uses the Client Secret from the profile, not an entry from the secret store.
The following use the Client Secret:
-
Signing ID tokens with an HMAC algorithm
-
Encrypting ID tokens with AES or direct encryption
-
Encrypting parameters with AES or direct encryption
Store only one secret in the Client Secret field.
For details about encryption options, refer to the OIDC specification.
CA certificates for mTLS client authentication
This table shows the ID of the trusted CA certificate for mTLS client authentication:
| Secret ID | Algorithms |
|---|---|
|
Social identity client secrets
Decrypt ID tokens
This table shows the ID for the secret to decrypt ID tokens and userinfo endpoint JWTs
when Identity Cloud acts as a relying party (RP) of the social identity provider service:
| Secret ID | Algorithms |
|---|---|
|
Consult the |
The public key is exposed at the /oauth2/connect/rp/jwk_uri endpoint.
For details, refer to Social authentication.
Sign JWTs and objects
This table shows the ID for the secret to sign JWTs and objects when Identity Cloud acts as a relying party (RP) of the social identity provider service:
| Secret ID | Algorithms |
|---|---|
|
Consult the |
The public key is exposed at the /oauth2/connect/rp/jwk_uri endpoint.
For details, refer to Social authentication.
Certificates for mTLS client authentication
This table shows the ID of the trusted CA or self-signed certificate for mTLS client authentication when Identity Cloud acts as a relying party (RP) of the social identity provider service:
| Secret ID | Algorithms |
|---|---|
|
Consult the |
The public key is exposed at the /oauth2/connect/rp/jwk_uri endpoint.
For details, refer to Social authentication.
Web and Java agent secrets
Sign agent JWTs
This table shows the ID for the secret to sign the JWTs issued to Web and Java agents:
| Secret ID | Algorithms |
|---|---|
|
RS256 |
Authentication secrets
Secure journey state data
This table shows the ID for the secret to encrypt sensitive data in the secure state of an authentication journey:
| Secret ID | Algorithms |
|---|---|
|
AES 256-bit |
SAML 2.0 secrets
Sign SAML 2.0 metadata
This table shows the ID for the secret to sign SAML 2.0 metadata:
| Secret ID | Algorithms |
|---|---|
|
RSA SHA-256 |
SAML 2.0 signing and encryption
This table shows the IDs for the secrets to sign and encrypt SAML 2.0 elements:
| Secret ID | Algorithms |
|---|---|
|
RSA with PKCS#1 v1.5 padding |
|
RSA SHA-1(1) |
|
RSA with PKCS#1 v1.5 padding |
|
RSA SHA-1(1) |
(1) This algorithm is for compatibility purposes only; do not use it.
You can specify a custom secret ID for each hosted SAML 2.0 entity provider in a realm, which creates new secret IDs. These secret IDs can be unique to a provider, or shared by multiple providers.
For example, you can add a custom secret ID identifier named mySamlSecrets to a hosted identity provider. Identity Cloud dynamically creates the following IDs for the provider’s signing and encryption secrets:
-
am.applications.federation.entity.providers.saml2.mySamlSecrets.signing -
am.applications.federation.entity.providers.saml2.mySamlSecrets.encryption
Identity Cloud looks up the secrets with the custom secret ID identifiers. If unsuccessful, Identity Cloud looks up the secrets with the default secret IDs.
Attestation secrets
Google hardware attestation root certificate
This table shows the ID for the Google hardware attestation root certificate, which is used to increase confidence that the keys used by bound Android devices are valid, have not been revoked, and use hardware-backed security storage.
Refer to Verifying hardware-backed key pairs with Key Attestation in the Android developer documentation.
| Secret ID | Algorithms |
|---|---|
|
RSA / X.509 |