Skip to main content

Setting up Tide E2EE

This guide shows you how to set up Tide end-to-end encryption: define the realm roles that gate encrypt and decrypt, create an OIDC app that carries them, and authorize the governed change request that grants them.

For what end-to-end encryption is and why it works this way, including how roles and scopes gate encrypt and decrypt under the hood, see Hermetic End-to-End Encryption.

Before you start

  • You have admin access to the TideCloak tide-console.
  • You have a Tide realm with the Tide IdP added and licensed.
  • QEA (Quorum Enforced Authorization) is enabled and your admin account holds the tide-realm-admin role. To set this up, see Set up QEA.

1. Define encrypt/decrypt roles

  1. In the tide-console, turn on the Advanced toggle (bottom-left), go to RolesRealm rolesAdd a role.

    Create role screen
  2. Create two roles for each field you want to protect. For example, to protect dateOfBirth:

    _tide_dob.selfencrypt
    _tide_dob.selfdecrypt
    Define roles example
  3. Assign the roles to your defaults group. In RolesRealm roles, select default-roles-<realm>, click Assign role, filter for your new roles, then Add.

2. Authorize the change request

The role assignment files a governed change request that the admin quorum must authorize. For the Authorize / Commit mechanics, see Set up QEA.

  1. Go to QEA Approvals → open the change request → Authorize.

    Authorize change request
  2. After approval, both roles appear under default-roles-<realm>.

3. Create an OIDC app

  1. Go to AppsAdd an app:

    • Name: a descriptive label, e.g. edtest-client.
    • Where does it live?: your app's URL (optional while testing).
    Create app
  2. In the app's Settings tab, set redirect URIs and web origins to your app's callback and origin.

  3. Open the App scopes tab and confirm your client carries the scopes your encrypt/decrypt roles need. Use + Add scope to add any missing scope under Default app scopes (granted on every token) or Optional app scopes (granted only when requested).

4. Encrypt and decrypt via the API

  1. Acquire an OIDC token requesting openid plus your custom scopes (e.g. _tide_dob.selfencrypt).

  2. Call the encrypt endpoint, gated by _tide_dob.selfencrypt:

    POST /realms/<realm>/protocol/openid-connect/encrypt
    Authorization: Bearer <access_token>
    Content-Type: application/json
    {
    "field": "dateOfBirth",
    "value": "1980-01-01"
    }

    The response returns ciphertext.

  3. Call the decrypt endpoint, gated by _tide_dob.selfdecrypt:

    POST /realms/<realm>/protocol/openid-connect/decrypt
    Authorization: Bearer <access_token>
    Content-Type: application/json
    {
    "field": "dateOfBirth",
    "ciphertext": "<returned_ciphertext>"
    }

    The response returns the original plaintext.