Skip to content

The JSON Web Key Set (JWKS) endpoint is a read-only endpoint that contains the public keys’ information in the JWKS format. The public keys are the counterpart of private keys which are used to sign the tokens.

Notifications You must be signed in to change notification settings

dev-rgupta/jwks-api

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

jwks-api

What is JWKS endpoint?

The JSON Web Key Set (JWKS) endpoint is a read-only endpoint that contains the public keys’ information in the JWKS format. The public keys are the counterpart of private keys which is used to sign the tokens.

JWT tokens have a signature to prove their legitimacy to the client or resource servers. In the testing environments, it is easy to validate JWT as we have access to the keystore where we keep the public-private key pair. In the production environments, we need our consumers to validate our tokens before proceeding. Thus we need to have a way to convey our public key to the third party who is going to use that token. As a solution to the above conundrum JWKS endpoint was introduced.

JSON Web Key:

A JWK is a JSON object that represents a cryptographic key.The members of the object represent properties of the key, including its value

JWKS:

A JWK Set is a JSON object that represents a set of JWKs. The JSON object MUST have a "keys" member, with its value being an array of JWKs

In simple terms, JWKS has arrays of keysets. Each keyset can be used to create a public key

kty → identifies the cryptographic algorithm  family used with the key, such as “RSA” or “EC”
kid → (key ID) parameter is used to match a specific key. This is used, for instance, to choose among a set of keys within a JWK Set during key rollover. The structure         of the “kid” value is unspecified. When “kid” values are used within a JWK Set, different keys within the JWK Set SHOULD use distinct “kid” values
use → parameter identifies the intended use of the public key. It can be either “sig” (signature) or “enc” (encryption).
alg → parameter identifies the algorithm intended for use with the key.eg in RSA, we can have RSA256 or RSA512 
e,n → are related to RSA algorithms. n is the modulus and e is the exponent. EC type will have different parameters

Option's

usage: java -jar json-web-key-generator.jar -t <keyType> [options]
 -t,--type <arg>           Key Type, one of: RSA, oct, EC, OKP
 -s,--size <arg>           Key Size in bits, required for RSA and oct key
                           types. Must be an integer divisible by 8
 -c,--curve <arg>          Key Curve, required for EC or OKP key type.
                           Must be one of P-256, secp256k1, P-384, P-521
                           for EC keys or one of Ed25519, Ed448, X25519,
                           X448 for OKP keys.
 -u,--usage <arg>          Usage, one of: enc, sig (optional)
 -a,--algorithm <arg>      Algorithm (optional)
 -i,--id <arg>             Key ID (optional), one will be generated if not
                           defined
 -g,--idGenerator <arg>    Key ID generation method (optional). Can be one
                           of: date, timestamp, sha256, sha1, none. If
                           omitted, generator method defaults to
                           'timestamp'.
 -I,--noGenerateId         <deprecated> Don't generate a Key ID.
                           (Deprecated, use '-g none' instead.)
 -p,--showPubKey           Display public key separately (if applicable)
 -S,--keySet               Wrap the generated key in a KeySet
 -o,--output <arg>         Write output to file. Will append to existing
                           KeySet if -S is used. Key material will not be
                           displayed to console.
 -P,--pubKeyOutput <arg>   Write public key to separate file. Will append
                           to existing KeySet if -S is used. Key material
                           will not be displayed to console. '-o/--output'
                           must be declared as well.
 -x,--x509                 Display keys in X509 PEM format

How we set up this

step 1: First you have to clone this repo as maven project. its a maven based Springboot application

step 2: Start the springboot application (default: http://localhost:8080)

step 3: hit the end point with required parameters i.e. http://localhost:8080/jwsk/{keyType}?alg={algorithem}&size=2048

Sample Url's and Output

1: http://localhost:8080/jwsk/RSA?alg=RS256&size=2048 for RSA

{
  "keys": [
      {
          "p": "zIHD_Gobc5-AU4vRwrzMpd5esHLzpqwhc403_piJGkuvEluYwoAWvJ4r46wAdOXrmBqdsxWqgUMhjkFP1Tcofj6PFIZ21x-fnmeDlcTL2Lif4eySQ8R7wq3wTSIIaMMckVAtb-K6Kx7MCKbq3LZKacSdCbS1GGP0bK0lKIVg080",
          "kty": "RSA",
          "q": "xOEHhtV0BN7jgEeF1J2Th9lsMvoqDvsrumA7G-0uq-L-4KnC1NCB6XH9tS6fFoatdof81A8DYjqsEPMySQ9PFLW9T466a0p0c6HL6lVWzkyrQY4yThKCNuWx6XfKEtKNO30h1vY0Ba8GIJjfL4FJdNnH2YsMfum1VU9eIODyEEU",
          "d": "NKoQupUoNYaKUYxG-rb5eEzWUQzF2Tdf0lZsi4jGxvCTa1qb39u0pgdqMEaXzg2BrXSyntA0-fZc80HMr2N5A2vfV-OYVbRetDanLrsrv_IbrfFUdUZEIKn4K08kfRTI4znZO5tboIwbcGLXkp00sNQvw4CuDPKBkqjF2x9VEkvxzv59LElgWjLDZ-A5F1Wa-I2suNjQWOyOm6mcllEuv3TXeYG902ylNsfjfTwYbQ7LEdkKu-z0H_wiwLjjQIQES-aF4Ga71HqZHEj1sKiuHqNBks9OH_Ab2BZm94Di3QzztUd5qW70wrQJ39f6e7NaXHGRIG29RZON231Rii-EsQ",
          "e": "AQAB",
          "kid": "1622906406",
          "qi": "RtWFB05arYaxyLjZKu3r3LqvWWv_vCpQM6Slkrco_pqmwVL2GBz6zhlAjFxDBW7ChRVCNFckqOUJ9L9xR0pV_ngD8qYoAPjRoRNXwnVswkZcnflrj_maxxf1MNq0z0oogeLKr_j7_eAbCcSJF9_OkNJy0M24Ijyby09Eb-kY4xI",
          "dp": "GdWew4lH9IBGvscf9YDSPXXs8k9jNj_ybd1-IFx2nWrIMAKANrnlpWg51SYKXLoa2_koyNHI21F2sLjRc_bm16PhgU9HPf_RszoSZl4Y_kS8ddbj10m_9KTygVv2Qf274yOEyeiTahUW41TqwH0Kw3fB-tLoOa-O1he9ZPQMelU",
          "alg": "RS256",
          "dq": "dM1QatT-NNmLPRKxulcWLLV4NLIn-6VV5weqacIIO1-7eMweU6W0PSwsqa4UIggap0S8YY7aog9O_-tYfPHBJ_c-bhGuVXLhraxizw58Jn5j58uV2q2uZSVWrL0tvIb_1ThCuEZuzKRuzS4E0ykvzExb_Zs5-Z1rwEYLARSTZ8U",
          "n": "nUceHcTjam7v9f94M5Wcz6xdiGrvy-SHMznoA-NsT6UJUedsY84ruCQed3zJfpkSaGM0XGCWjqlk5AXs592pT-5M92PfBmmf3AoSbKIuBZkJInvAqcndbyl1FBd3-4kI2rDI5bl2FsqVWQvXDDMWPx7orU7pfitO-kC_64d5WihScCHT76V0u4HKo_zJT7K9NK32CfEmR_g8u9C76gDz6DELspTrWu_7-RnXEVRnK2bcpOop4IOREuFJcz3FBuqbCZv1eyUDaU1DAcOGg4Cyg9J8CImffcbgRsW5SeZjb62coEVuK7pW8kACrntSJe_7OGDStRAtngxZIxq9mB_mQQ"
      }
  ]
}

2: http://localhost:8080/jwsk/EC?crv=P-256&use=enc for EC

{
  "keys": [
      {
          "kty": "EC",
          "d": "I8ngmZ034UmtH2eDKKHhEDIjYHnxxLueT1XoBonnjSg",
          "use": "enc",
          "crv": "P-256",
          "kid": "enc-1622906241",
          "x": "xbB6OvGMDHzn0wC9u-IzelSh3mhmJle9UAQJA8yPvm8",
          "y": "CecMRlJc4VkaIqegQYRFmIUrhVBoZKdHWMPbFksy5dw"
      }
  ]
}

Thats It !!!

https://knowledge.broadcom.com/external/article/142040/jwks-endpoint.html
https://medium.com/@inthiraj1994/signature-verification-using-jwks-endpoint-in-wso2-identity-server-5ba65c5de086

About

The JSON Web Key Set (JWKS) endpoint is a read-only endpoint that contains the public keys’ information in the JWKS format. The public keys are the counterpart of private keys which are used to sign the tokens.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages