auth-foundation/com.okta.authfoundation.credential.kmp/JceTokenEncryptionHandler

JceTokenEncryptionHandler

class JceTokenEncryptionHandler(keyProvider: () -> SecretKey = ::defaultKeyProvider) : TokenEncryptionHandler

JVM-based AES-256-GCM token encryption handler for KMP apps.

Encrypts and decrypts token data using AES-256 in Galois Counter Mode (GCM). The encryption key is generated on first use and stored in a PKCS12 keystore at ~/.okta/okta.p12. A fresh 12-byte IV is generated for each encryption and stored in encryptionExtras["iv"].

Note: The default key storage uses a fixed keystore password, so security relies on file-system permissions. This is suitable as an SDK default but may not meet enterprise security requirements. For production deployments, supply a custom keyProvider backed by a hardware security module (HSM), or a cloud key management service (AWS KMS, Azure Key Vault, GCP Cloud KMS, HashiCorp Vault).

Parameters

keyProvider

optional lambda to provide a custom SecretKey. Defaults to loading/generating the standard key.

Constructors

Link copied to clipboard
constructor(keyProvider: () -> SecretKey = ::defaultKeyProvider)

Types

Link copied to clipboard
object Companion

Functions

Link copied to clipboard
open suspend override fun decrypt(ciphertext: ByteArray, encryptionExtras: Map<String, String>): ByteArray

Decrypts the given ciphertext bytes.

Link copied to clipboard
open suspend override fun encrypt(plaintext: ByteArray): EncryptionResult

Encrypts the given plaintext bytes.

Generated by Dokka
© 2026 Copyright