JWK Set

Overview

The JSON Web Key Set (JWKS) URI provides the public keys used by the Identity Provider (IdP) to sign tokens (e.g., ID Tokens, Access Tokens if JWTs).

Clients (RPs) retrieve the JWKS document to validate signatures on tokens, ensuring authenticity and integrity.

Endpoint

The endpoint is advertised in the jwks_uri in the metadata exposed by the discovery endpoint and typically is:

GET https://[BASE_URL]/.well-known/openid-configuration/jwks

Response

The response is a JSON object containing an array of public keys. Example:

{
   "keys": [
     {
       "kty": "RSA",
       "kid": "1b94c",
       "use": "sig",
       "alg": "RS256",
       "n": "vrjOf...",
       "e": "AQAB"
     },
     {
       "kty": "EC",
       "kid": "5df2a",
       "use": "sig",
       "alg": "ES256",
       "crv": "P-256",
       "x": "f83OJ3...",
       "y": "x_FEzRu..."
     }
   ]
}

Usage

1. Retrieve JWKS:

GET https://[BASE_URL]/.well-known/openid-configuration/jwks

2. Select Key by kid:
   Tokens (e.g., JWTs) include a kid (Key ID) in their header. The RP uses this value to find the correct key from the JWKS.

3. Verify Signature:
   The RP uses the key to validate the token’s signature and ensure it was issued by the IdP.

Security Considerations

• Validate that keys come from a trusted jwks_uri discovered via .well-known/openid-configuration.
• Cache keys, but refresh periodically, since IdPs rotate signing keys.

Related Endpoints

• Discovery Endpoint – Provides the jwks_uri.
• Authorization Endpoint – Issues ID Tokens that must be verified.
• Token Endpoint – Returns tokens signed with keys in the JWKS.