JWK set settings for an OAuth / OIDC client

Configuring JWK Set for an OAuth/OIDC Client

Preface

In order to verify a signature of request objects coming from a client, or to provide encrypted ID tokens to a client, you have to register the client’s public key to Authlete for signature verification and/or message encryption.

This article explains how to register a JWK set in the settings of an OAuth/OIDC client registered with an Authlete service.

Preparing a JWK set

Instruction in this section is for illustrative purposes. Do not apply the following JWK set to your production environment.

An administrator of the OAuth / OIDC client is to prepare a JWK set including a public key. Note that the key set must not include a private key.

The following example illustrates usage of mkjwk.org tool to generate a key pair for encryption, and parameters specified for it.

Item Value
Key Type EC (Elliptic Curve)
Curve P-256
Key Use Encryption
Algorithm (none)
Key ID SHA-256

By clicking “Generate” button, the tool shows the generated keys in various formats. We will use “Public and Private Keypair Set” in this example.

jwk-set-for-client_1
Generating "Public and Private Keypair Set"

The original JWK set is as follows.

{
    "keys": [
        {
            "kty": "EC",
            "d": "4AEnTq3H8gcIutIoJCCZuv9GgWdKRaoJIXQkdM8r0UA",
            "use": "enc",
            "crv": "P-256",
            "kid": "_agec7UaYVN4c3RZQJQhUuR6nFSnqEXywv3QaIfFRFk",
            "x": "ilLNQ-Lcp_t5DBs9puJVI3JhwqlMndTILjkBrNd3Dsc",
            "y": "3Uy7NIHilkOWviGXMRIl2ZUE4L7Mc8ub4VhosE3l8t8"
        }
    ]
}

Remove the private key below.

"d": "4AEnTq3H8gcIutIoJCCZuv9GgWdKRaoJIXQkdM8r0UA",

The result is as follows.

{
    "keys": [
        {
            "kty": "EC",
            "use": "enc",
            "crv": "P-256",
            "kid": "_agec7UaYVN4c3RZQJQhUuR6nFSnqEXywv3QaIfFRFk",
            "x": "ilLNQ-Lcp_t5DBs9puJVI3JhwqlMndTILjkBrNd3Dsc",
            "y": "3Uy7NIHilkOWviGXMRIl2ZUE4L7Mc8ub4VhosE3l8t8"
        }
    ]
}

This JSON document is to be used as a JWK set of the client’s public key.

Registering a JWK set

To add a JWK set for a client in the Authlete Management Console, follow these steps:

  1. Log in to the Authlete Management Console.
  2. Navigate to Client Settings for the desired client.
  3. Select the Key Management > JWK Set tab from the left-hand menu.
  4. Under the JWK Set Content section, paste your JSON Web Key Set (JWK Set) into the input field.
  5. Click Save Changes to apply the configuration.

Now the JWK set has been registered for the OAuth / OIDC client.