Indirect Client and Encrypted Tokens and OidcProfile

[Arun Subramanian]

Firstly, thanks for your efforts on the wonderful Pac4J security library.

Background: Ours is a traditional enterprise web application running on WebLogic and JDK 8 and we are migrating from SiteMinder SSO to Ping Identity OIDC for authentication. 

I'm planning to use the JDK 8 compatible versions of pac4j-oidc and pac4j-jwt modules (v4.5.7) and  jee-pac4j (v5.0.0) for the OIDC integration. We will be using the Authorization Code Flow with PKCE for this integration.

I know that I need to configure the Pac4J servlet filters (SecurityFilter, CallbackFilter and LogoutFilter) in the web.xml. We are going to be receiving encrypted JWT id token and access token from the token endpoint and we will also get a key to decrypt the tokens. How do I build out the OidcProfile with all the attributes after decrypting the id and access tokens. Does JwtAuthenticator have to be used here and if you could lay out the general steps of how this could be done, that'll be much appreciated.

Thanks.