Changing signing key for ID tokens

Table of Contents

Changing signing key for ID tokens

Overview

This article explains an example on changing a signing key for ID tokens. In order to have Authlete to sign an ID token with the new key, you may have to configure both a service of Authlete and a client registered to the service.

Service settings

Register a JWK set document to “JWK Set Content” section in Service Settings. See the following article for instructions.

After the registration, add the value of “kid” of this keypair set (“1” in this example) to “ID Token Signature Key ID” section in the same “JWK Set” tab.

so-jwkset
ID Token Signature Key ID

 Client settings

In order for the Authlete service to issue an ID token signed with the new key (signature algorithm: ES256), choose “ES256” on “ID Token Signature Algorithm” section in Client Settings .

cd-idTokenSigAlg
ID Token Signature Algorithm

With the settings above, Authlete will be using the ES256 key (identified by “kid=1”) to sign ID tokens for the client.