Secret IDs
Identity Cloud uses these IDs to match secrets for access management signing and encryption with the aliases of the secrets in the secret store. Expand the categories for additional information.
For instructions on using these secret IDs, refer to Use ESVs for signing and encryption keys.
General secrets
PEM decryption password
This table shows the ID for the symmetric encryption key to decrypt certificates, keys, and passwords in Privacy Enhanced Mail (PEM) format.
Secret ID | Algorithms |
---|---|
|
Encrypt client-side sessions
This table shows the ID for the secret to encrypt client-side sessions:
Secret ID | Algorithms |
---|---|
|
RS256 |
Sign client-side sessions
This table shows the ID for the secret to sign client-side sessions:
Secret ID | Algorithms |
---|---|
|
RS256 |
OAuth 2.0 and OpenID Connect provider secrets
JWT authenticity signing
This table shows the ID for the secret to sign OAuth 2.0 and OpenID Connect (OIDC) JSON Web Tokens (JWTs):
Secret ID | Algorithms |
---|---|
|
HS256 |
This key signs the following tokens and requests:
-
OIDC tokens for Web and Java Agents.
-
OIDC tokens signed with an HMAC algorithm.
-
Macaroon access and refresh tokens.
-
Consent requests to remote consent agents signed with an HMAC algorithm.
Encrypt client-side OAuth 2.0 tokens
This table shows the ID for the secret to encrypt client-side access tokens:
Secret ID | Algorithms |
---|---|
|
A128CBC-HS256 |
Sign client-side OAuth 2.0 tokens
This table shows the IDs for the secrets to sign client-side access tokens:
Secret ID | Algorithms |
---|---|
|
ES256 |
|
ES384 |
|
ES512 |
|
HS256 |
|
PS256 |
Sign remote consent requests
This table shows the IDs for the secrets to sign remote consent requests:
Secret ID | Algorithms |
---|---|
|
ES256 |
|
ES384 |
|
ES512 |
|
RS256 |
If you select an HMAC algorithm for signing consent requests (HS256
, HS384
, or HS512
),
Identity Cloud uses the Remote Consent Service secret, not an entry from the secret store.
Because Identity Cloud and the remote consent client share the HMAC secret,
a malicious user compromising the client could potentially create trusted tokens.
To protect against misuse, Identity Cloud also signs the token using a non-shared signing key
mapped to the am.services.oauth2.jwt.authenticity.signing
secret ID.
Decrypt remote consent responses
This table shows the ID for the secret to decrypt remote consent responses:
Secret ID | Algorithms |
---|---|
|
RSA-OAEP-256 |
If you select an algorithm other than RSA-OAEP-256 for decrypting consent responses, Identity Cloud uses the Remote Consent Service secret, not an entry from the secret store.
OAuth 2.0 example remote consent service
This table shows the IDs for the secrets for the example remote consent service:
Secret ID | Algorithms |
---|---|
|
RS256 |
|
RSA-OAEP-256 |
Decrypt OIDC request parameters
This table shows the IDs for secrets to decrypt OIDC request parameters:
Secret ID | Algorithms |
---|---|
|
RSA with PKCS#1 v1.5 padding |
|
RSA with OAEP with SHA-1 and MGF-1 |
|
RSA with OAEP with SHA-256 and MGF-1 |
For confidential clients,
if you select an AES algorithm (A128KW
, A192KW
, or A256KW
) or the direct encryption algorithm (dir
),
Identity Cloud uses the Client Secret from the profile, not an entry from the secret store.
The following use the Client Secret:
-
Signing ID tokens with an HMAC algorithm
-
Encrypting ID tokens with AES or direct encryption
-
Encrypting parameters with AES or direct encryption
Store only one secret in the Client Secret field.
For details about encryption options, refer to the OIDC specification.
CA certificates for mTLS client authentication
This table shows the ID of the trusted CA certificate for mTLS client authentication:
Secret ID | Algorithms |
---|---|
|
Social identity client secrets
Decrypt ID tokens
This table shows the ID for the secret to decrypt ID tokens and userinfo
endpoint JWTs
when Identity Cloud acts as a relying party (RP) of the social identity provider service:
Secret ID | Algorithms |
---|---|
|
The public key is exposed at the /oauth2/connect/rp/jwk_uri endpoint.
For details, refer to Social authentication.
Sign JWTs and objects
This table shows the ID for the secret to sign JWTs and objects when Identity Cloud acts as a relying party (RP) of the social identity provider service:
Secret ID | Algorithms |
---|---|
|
The public key is exposed at the /oauth2/connect/rp/jwk_uri endpoint.
For details, refer to Social authentication.
Certificates for mTLS client authentication
This table shows the ID of the trusted CA or self-signed certificate for mTLS client authentication when Identity Cloud acts as a relying party (RP) of the social identity provider service:
Secret ID | Algorithms |
---|---|
|
The public key is exposed at the /oauth2/connect/rp/jwk_uri endpoint.
For details, refer to Social authentication.
Web and Java agent secrets
Sign agent JWTs
This table shows the ID for the secret to sign the JWTs issued to Web and Java agents:
Secret ID | Algorithms |
---|---|
|
RS256 |
Authentication secrets
Secure journey state data
This table shows the ID for the secret to encrypt sensitive data in the secure state of an authentication journey:
Secret ID | Algorithms |
---|---|
|
AES 256-bit |
SAML 2.0 secrets
Encrypt SAML 2.0 session storage JWTs
This table shows the ID for the secret to encrypt the JWTs SAML 2.0 creates in session storage:
Secret ID | Algorithms |
---|---|
|
A256GCM |
Sign SAML 2.0 metadata
This table shows the ID for the secret to sign SAML 2.0 metadata:
Secret ID | Algorithms |
---|---|
|
RSA SHA-256 |
SAML 2.0 signing and encryption
This table shows the IDs for the secrets to sign and encrypt SAML 2.0 elements:
Secret ID | Algorithms |
---|---|
|
RSA with PKCS#1 v1.5 padding |
|
RSA SHA-1(1) |
|
RSA with PKCS#1 v1.5 padding |
|
RSA SHA-1(1) |
(1) This algorithm is for compatibility purposes only; do not use it.
You can specify a custom secret ID for each hosted SAML 2.0 entity provider in a realm, which creates new secret IDs. These secret IDs can be unique to a provider, or shared by multiple providers.
For example, you can add a custom secret ID identifier named mySamlSecrets to a hosted identity provider. Identity Cloud dynamically creates the following IDs for the provider’s signing and encryption secrets:
-
am.applications.federation.entity.providers.saml2.mySamlSecrets.signing
-
am.applications.federation.entity.providers.saml2.mySamlSecrets.encryption
Identity Cloud looks up the secrets with the custom secret ID identifiers. If unsuccessful, Identity Cloud looks up the secrets with the default secret IDs.