Setting up Tide E2EE
This guide shows you how to set up Tide end-to-end encryption: define the realm roles that gate encrypt and decrypt, create an OIDC app that carries them, and authorize the governed change request that grants them.
For what end-to-end encryption is and why it works this way, including how roles and scopes gate encrypt and decrypt under the hood, see Hermetic End-to-End Encryption.
Before you start
- You have admin access to the TideCloak tide-console.
- You have a Tide realm with the Tide IdP added and licensed.
- QEA (Quorum Enforced Authorization) is enabled and your admin account holds the
tide-realm-adminrole. To set this up, see Set up QEA.
1. Define encrypt/decrypt roles
-
In the tide-console, turn on the Advanced toggle (bottom-left), go to Roles → Realm roles → Add a role.
-
Create two roles for each field you want to protect. For example, to protect
dateOfBirth:_tide_dob.selfencrypt_tide_dob.selfdecrypt
-
Assign the roles to your defaults group. In Roles → Realm roles, select
default-roles-<realm>, click Assign role, filter for your new roles, then Add.
2. Authorize the change request
The role assignment files a governed change request that the admin quorum must authorize. For the Authorize / Commit mechanics, see Set up QEA.
-
Go to QEA Approvals → open the change request → Authorize.
-
After approval, both roles appear under
default-roles-<realm>.
3. Create an OIDC app
-
Go to Apps → Add an app:
- Name: a descriptive label, e.g.
edtest-client. - Where does it live?: your app's URL (optional while testing).
- Name: a descriptive label, e.g.
-
In the app's Settings tab, set redirect URIs and web origins to your app's callback and origin.
-
Open the App scopes tab and confirm your client carries the scopes your encrypt/decrypt roles need. Use + Add scope to add any missing scope under Default app scopes (granted on every token) or Optional app scopes (granted only when requested).
4. Encrypt and decrypt via the API
-
Acquire an OIDC token requesting
openidplus your custom scopes (e.g._tide_dob.selfencrypt). -
Call the encrypt endpoint, gated by
_tide_dob.selfencrypt:POST /realms/<realm>/protocol/openid-connect/encryptAuthorization: Bearer <access_token>Content-Type: application/json{"field": "dateOfBirth","value": "1980-01-01"}The response returns
ciphertext. -
Call the decrypt endpoint, gated by
_tide_dob.selfdecrypt:POST /realms/<realm>/protocol/openid-connect/decryptAuthorization: Bearer <access_token>Content-Type: application/json{"field": "dateOfBirth","ciphertext": "<returned_ciphertext>"}The response returns the original plaintext.