JSON Web Key Sets
Fleeting- External reference: https://datatracker.ietf.org/doc/html/rfc7517
- External reference: https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets
- External reference: https://auth0.com/docs/secure/tokens
JSON Web Key Sets and JSON Web Key are defined in the same standard.
In OpenID Connect, you find its JWKS using the standard well-known/openid-configuration, using the .jwks_uri entry (as documented in OAuth 2.0 Authorization Server Metadata). It is in general available at /.well-known/jwks.json.
Do not use ID tokens to gain access to an API. Each token contains information for the intended audience (which is usually the recipient). According to the OpenID Connect specification, the audience of the ID token (indicated by the aud claim) must be the client ID of the application making the authentication request. If this is not the case, you should not trust the token
Conversely, an API expects a token with the aud value to equal the API’s unique identifier
Since the ID token is not signed by the API, the API would have no way of knowing if the application had modified the token (e.g., adding more scopes) if it were to accept the ID Token. See the JWT Handbook for more informatio
Access tokens must never be used for authentication.
Access tokens must never be used for authentication.
The only user information the access token possesses is the user ID, located in the sub claim. In your applications, treat access tokens as opaque strings since they are meant for APIs. Your application should not attempt to decode them or expect to receive tokens in a particular format.
Note that the token does not contain any information about the user besides their ID (sub claim). It only contains authorization information about which actions the application is allowed to perform at the API (scope claim). This is what makes it useful for securing an API, but not for authenticating a user
many cases, you might find it useful to retrieve additional user information at the API, so the access token is also valid for calling the /userinfo endpoint, which returns the user’s profile information. The intended audience (indicated by the aud claim) for this token is both your custom API as specified by its identifier (such as https://my-api-identifier) and the /userinfo endpoint (such as https://your_domain/userinfo).
Item Description
JSON Web Key (JWK) A JSON object that represents a cryptographic key. The members of the object represent properties of the key, including its value.
JSON Web Key Set (JWKS) A JSON object that represents a set of JWKs. The JSON object MUST have a keys member, which is an array of JWKs
— https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets
The JSON Web Key Set (JWKS) is a set of keys containing the public keys used to verify any JSON Web Token (JWT) issued by the authorization server and signed using the RS256 signing algorithm.
— https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets
JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key.
JWK Set JSON data structure that represents a set of JWKs.
JSON Web Key (JWK) A JSON object that represents a cryptographic key. The members of the object represent properties of the key, including its value.
JWK Set A JSON object that represents a set of JWKs. The JSON object MUST have a “keys” member, which is an array of JWKs.
each JWK will have members that are key type specific. These members represent the parameters of the key. Section 6 of the JSON Web Algorithms (JWA) [JWA] specification defines multiple kinds of cryptographic keys and their associated members.
The “kty” (key type) parameter identifies the cryptographic algorithm family used with the key, such as “RSA” or “EC”.
The “use” parameter is employed to indicate whether a public key is used for encrypting data or verifying the signature on data.
Values defined by this specification are:
o “sig” (signature) o “enc” (encryption)
The “key_ops” (key operations) parameter identifies the operation(s) for which the key is intended to be used
Values defined by this specification are:
o “sign” (compute digital signature or MAC) o “verify” (verify digital signature or MAC) o “encrypt” (encrypt content) o “decrypt” (decrypt content and validate decryption, if applicable) o “wrapKey” (encrypt key) o “unwrapKey” (decrypt key and validate decryption, if applicable) o “deriveKey” (derive key) o “deriveBits” (derive bits not to be used as a key)
The “alg” (algorithm) parameter identifies the algorithm intended for use with the key. The values used should either be registered in the IANA “JSON Web Signature and Encryption Algorithms” registry established by [JWA]
The “kid” (key ID) parameter is used to match a specific key
The structure of the “kid” value is unspecified. When “kid” values are used within a JWK Set, different keys within the JWK Set SHOULD use distinct “kid” values.
The “x5c” (X.509 certificate chain) parameter contains a chain of one or more PKIX certificates [RFC5280].
The value of the “keys” parameter is an array of JWK values
x5c
Notes linking here
- generate some jwks
- how do I create an OAuth 2.0/OIDC resource server? (blog)
- jwks_uri
- OpenID Connect Discovery