Table of Contents
This article explains how to register a JWK set for an Authlete service.
First, refer to the steps below in order to prepare a JWK set.
This article assumes that you have prepared a JWK set in some way. The following example illustrates usage of mkjwk.org service to generate an ES256 key pair, and parameters specified for it.
To register the JWK set you prepared, go to your service settings, inside Key Management > JWK Set. There, you will be able to copy the generated “Public and Private Keypair Set” into the JWK Set Content field of the settings. Make sure to save your changes by hitting the Save Changes button at the bottom of the page.
Now the JWK set has been registered in the service.
In addition, by adding the authorization server’s endpoint as the JWK set endpoint URI, the jwks_uri value is reflected in the authorization server’s metadata document.
You can also use Authlete’s service management APIs to register the JWK set instead of using the Web console. The following example illustrates how to make a request to the /service/update API to specify the JWK set as a value of “jwks” key. Updating service settings requires an organization access token.
Use the /service/get API to retrieve the configuration data of the service.
curl -s {Authlete API}/service/get/{Service API Key} \
-H Authorization: Bearer {OrganizationAccessToken} \
-H 'Content-type: application/json' \
> service.json
Add the following key/value as a JWK set to the JSON formatted configuration data retrieved above and save as updated-service.json.
{
"jwks": {
"keys": [
{
"kty": "EC",
"d": "eb4BggIO87SUjzP1M56MeXj0NQajWBwpwiDq8yoL5n4",
"use": "sig",
"crv": "P-256",
"kid": "2019-07-25_02",
"x": "f8a6jovcRTNLDWi3_c62YcW_3ZN-GH1RkiVOZgSgIYI",
"y": "EB3R8W12a3tgZfNer1RP0DizT3qpRybGw_krfsE0JzY",
"alg": "ES256"
}
]
}
}
If you would like to register multiple JWKs, specify which one of the JWKs for signing. For example, if you want a JWK identified by key ID “kid”:“2019-07-25_02” to be used for signing ID tokens, you should add the following key/value :
"idTokenSignatureKeyId": "2019-07-25_02"
(see Authlete API Reference for details on idTokenSignatureKeyId)
Use /service/update API to put the new configuration data that includes the JWK set.
cat updated-service.json | \
curl -s -X PUT {Authlete API}/service/update/{Service API Key} \
-H 'Authorization: Bearer {OrganizationAccessToken}' \
-H 'Content-type: application/json' \
-d @-
The new “jwks” should be included in the output as follows.
{
//[...]
"jwks": "{\"keys\":[
{
\"kty\":\"EC\",
\"d\":\"eb4BggIO87SUjzP1M56MeXj0NQajWBwpwiDq8yoL5n4\",
\"use\":\"sig\",
\"crv\":\"P-256\",
\"kid\":\"2019-07-25_02\",
\"x\":\"f8a6jovcRTNLDWi3_c62YcW_3ZN-GH1RkiVOZgSgIYI\",
\"y\":\"EB3R8W12a3tgZfNer1RP0DizT3qpRybGw_krfsE0JzY\",
\"alg\":\"ES256\"
}
]}",
//[...]
}
To perform key rotation without downtime, it is common to update keys using the following procedure.
jwks_uri (resulting in a state where multiple keys are included)jwks_uri cache on clients and RPs is invalidated and multiple keys are recognizedFor authorization servers using Authlete, steps 1 and 4 correspond to updating the contents of the service’s JWK set (jwks), and step 3 corresponds to updating settings such as the service’s ID token signature key ID (idTokenSignatureKeyId).