The JSON Web Key Set (JWKS) endpoint is a read-only endpoint that contains the public keys’ information in the JWKS format. The public keys are the counterpart of private keys which is used to sign the tokens.
JWT tokens have a signature to prove their legitimacy to the client or resource servers. In the testing environments, it is easy to validate JWT as we have access to the keystore where we keep the public-private key pair. In the production environments, we need our consumers to validate our tokens before proceeding. Thus we need to have a way to convey our public key to the third party who is going to use that token. As a solution to the above conundrum JWKS endpoint was introduced.
A JWK is a JSON object that represents a cryptographic key.The members of the object represent properties of the key, including its value
A JWK Set is a JSON object that represents a set of JWKs. The JSON object MUST have a "keys" member, with its value being an array of JWKs
In simple terms, JWKS has arrays of keysets. Each keyset can be used to create a public key
kty → identifies the cryptographic algorithm family used with the key, such as “RSA” or “EC”
kid → (key ID) parameter is used to match a specific key. This is used, for instance, to choose among a set of keys within a JWK Set during key rollover. The structure of the “kid” value is unspecified. When “kid” values are used within a JWK Set, different keys within the JWK Set SHOULD use distinct “kid” values
use → parameter identifies the intended use of the public key. It can be either “sig” (signature) or “enc” (encryption).
alg → parameter identifies the algorithm intended for use with the key.eg in RSA, we can have RSA256 or RSA512
e,n → are related to RSA algorithms. n is the modulus and e is the exponent. EC type will have different parameters
Option's
usage: java -jar json-web-key-generator.jar -t <keyType> [options]
-t,--type <arg> Key Type, one of: RSA, oct, EC, OKP
-s,--size <arg> Key Size in bits, required for RSA and oct key
types. Must be an integer divisible by 8
-c,--curve <arg> Key Curve, required for EC or OKP key type.
Must be one of P-256, secp256k1, P-384, P-521
for EC keys or one of Ed25519, Ed448, X25519,
X448 for OKP keys.
-u,--usage <arg> Usage, one of: enc, sig (optional)
-a,--algorithm <arg> Algorithm (optional)
-i,--id <arg> Key ID (optional), one will be generated if not
defined
-g,--idGenerator <arg> Key ID generation method (optional). Can be one
of: date, timestamp, sha256, sha1, none. If
omitted, generator method defaults to
'timestamp'.
-I,--noGenerateId <deprecated> Don't generate a Key ID.
(Deprecated, use '-g none' instead.)
-p,--showPubKey Display public key separately (if applicable)
-S,--keySet Wrap the generated key in a KeySet
-o,--output <arg> Write output to file. Will append to existing
KeySet if -S is used. Key material will not be
displayed to console.
-P,--pubKeyOutput <arg> Write public key to separate file. Will append
to existing KeySet if -S is used. Key material
will not be displayed to console. '-o/--output'
must be declared as well.
-x,--x509 Display keys in X509 PEM format
step 1: First you have to clone this repo as maven project. its a maven based Springboot application
step 2: Start the springboot application (default: http://localhost:8080)
step 3: hit the end point with required parameters i.e. http://localhost:8080/jwsk/{keyType}?alg={algorithem}&size=2048
1: http://localhost:8080/jwsk/RSA?alg=RS256&size=2048 for RSA
{
"keys": [
{
"p": "zIHD_Gobc5-AU4vRwrzMpd5esHLzpqwhc403_piJGkuvEluYwoAWvJ4r46wAdOXrmBqdsxWqgUMhjkFP1Tcofj6PFIZ21x-fnmeDlcTL2Lif4eySQ8R7wq3wTSIIaMMckVAtb-K6Kx7MCKbq3LZKacSdCbS1GGP0bK0lKIVg080",
"kty": "RSA",
"q": "xOEHhtV0BN7jgEeF1J2Th9lsMvoqDvsrumA7G-0uq-L-4KnC1NCB6XH9tS6fFoatdof81A8DYjqsEPMySQ9PFLW9T466a0p0c6HL6lVWzkyrQY4yThKCNuWx6XfKEtKNO30h1vY0Ba8GIJjfL4FJdNnH2YsMfum1VU9eIODyEEU",
"d": "NKoQupUoNYaKUYxG-rb5eEzWUQzF2Tdf0lZsi4jGxvCTa1qb39u0pgdqMEaXzg2BrXSyntA0-fZc80HMr2N5A2vfV-OYVbRetDanLrsrv_IbrfFUdUZEIKn4K08kfRTI4znZO5tboIwbcGLXkp00sNQvw4CuDPKBkqjF2x9VEkvxzv59LElgWjLDZ-A5F1Wa-I2suNjQWOyOm6mcllEuv3TXeYG902ylNsfjfTwYbQ7LEdkKu-z0H_wiwLjjQIQES-aF4Ga71HqZHEj1sKiuHqNBks9OH_Ab2BZm94Di3QzztUd5qW70wrQJ39f6e7NaXHGRIG29RZON231Rii-EsQ",
"e": "AQAB",
"kid": "1622906406",
"qi": "RtWFB05arYaxyLjZKu3r3LqvWWv_vCpQM6Slkrco_pqmwVL2GBz6zhlAjFxDBW7ChRVCNFckqOUJ9L9xR0pV_ngD8qYoAPjRoRNXwnVswkZcnflrj_maxxf1MNq0z0oogeLKr_j7_eAbCcSJF9_OkNJy0M24Ijyby09Eb-kY4xI",
"dp": "GdWew4lH9IBGvscf9YDSPXXs8k9jNj_ybd1-IFx2nWrIMAKANrnlpWg51SYKXLoa2_koyNHI21F2sLjRc_bm16PhgU9HPf_RszoSZl4Y_kS8ddbj10m_9KTygVv2Qf274yOEyeiTahUW41TqwH0Kw3fB-tLoOa-O1he9ZPQMelU",
"alg": "RS256",
"dq": "dM1QatT-NNmLPRKxulcWLLV4NLIn-6VV5weqacIIO1-7eMweU6W0PSwsqa4UIggap0S8YY7aog9O_-tYfPHBJ_c-bhGuVXLhraxizw58Jn5j58uV2q2uZSVWrL0tvIb_1ThCuEZuzKRuzS4E0ykvzExb_Zs5-Z1rwEYLARSTZ8U",
"n": "nUceHcTjam7v9f94M5Wcz6xdiGrvy-SHMznoA-NsT6UJUedsY84ruCQed3zJfpkSaGM0XGCWjqlk5AXs592pT-5M92PfBmmf3AoSbKIuBZkJInvAqcndbyl1FBd3-4kI2rDI5bl2FsqVWQvXDDMWPx7orU7pfitO-kC_64d5WihScCHT76V0u4HKo_zJT7K9NK32CfEmR_g8u9C76gDz6DELspTrWu_7-RnXEVRnK2bcpOop4IOREuFJcz3FBuqbCZv1eyUDaU1DAcOGg4Cyg9J8CImffcbgRsW5SeZjb62coEVuK7pW8kACrntSJe_7OGDStRAtngxZIxq9mB_mQQ"
}
]
}
2: http://localhost:8080/jwsk/EC?crv=P-256&use=enc for EC
{
"keys": [
{
"kty": "EC",
"d": "I8ngmZ034UmtH2eDKKHhEDIjYHnxxLueT1XoBonnjSg",
"use": "enc",
"crv": "P-256",
"kid": "enc-1622906241",
"x": "xbB6OvGMDHzn0wC9u-IzelSh3mhmJle9UAQJA8yPvm8",
"y": "CecMRlJc4VkaIqegQYRFmIUrhVBoZKdHWMPbFksy5dw"
}
]
}
Thats It !!!
https://knowledge.broadcom.com/external/article/142040/jwks-endpoint.html
https://medium.com/@inthiraj1994/signature-verification-using-jwks-endpoint-in-wso2-identity-server-5ba65c5de086