Does anyone know how I would configure OpenIDDict so that only the confidential client (with their client id and client secret) can decrypt the Jwt id_token to view the claims inside after making a token request? Doesn't seem right that anyone can view the information inside the Jwt with the default settings of no encryption. On the other hand, if it's signed with the server secret, then the client must have the server secret to decrypt it which doesn't seem right either.
Seems like the Jwt id_token should be encrypted by the server using the client secret that is required for any token request from a confidential client. That way, only the client could decode the id_token to view the claims inside without having to know the server secret.
Am I thinking about this correctly? Can this be configured in OpenIDDict some way?
Does anyone know how I would configure OpenIDDict so that only the confidential client (with their client id and client secret) can decrypt the Jwt id_token to view the claims inside after making a token request?
It's currently not supported... and there's almost no demand for that.
Why? Because it's not a particularly useful security measure for flows using the token endpoint as you're already supposed to use encryption at the transport layer (i.e TLS) so that the identity token is always retrieved using a secret channel.