Konubinix' opinionated web of thoughts

JSON Web Key Sets

Fleeting

JSON Web Key Sets and JSON Web Key are defined in the same standard.

In OpenID Connect, you find its JWKS using the standard well-known/openid-configuration, using the .jwks_uri entry (as documented in OAuth 2.0 Authorization Server Metadata). It is in general available at /.well-known/jwks.json.

Do not use ID tokens to gain access to an API. Each token contains information for the intended audience (which is usually the recipient). According to the OpenID Connect specification, the audience of the ID token (indicated by the aud claim) must be the client ID of the application making the authentication request. If this is not the case, you should not trust the token

https://auth0.com/docs/secure/tokens

Conversely, an API expects a token with the aud value to equal the API’s unique identifier

https://auth0.com/docs/secure/tokens

Since the ID token is not signed by the API, the API would have no way of knowing if the application had modified the token (e.g., adding more scopes) if it were to accept the ID Token. See the JWT Handbook for more informatio

https://auth0.com/docs/secure/tokens

Access tokens must never be used for authentication.

https://auth0.com/docs/secure/tokens

Access tokens must never be used for authentication.

https://auth0.com/docs/secure/tokens

The only user information the access token possesses is the user ID, located in the sub claim. In your applications, treat access tokens as opaque strings since they are meant for APIs. Your application should not attempt to decode them or expect to receive tokens in a particular format.

https://auth0.com/docs/secure/tokens

Note that the token does not contain any information about the user besides their ID (sub claim). It only contains authorization information about which actions the application is allowed to perform at the API (scope claim). This is what makes it useful for securing an API, but not for authenticating a user

https://auth0.com/docs/secure/tokens

many cases, you might find it useful to retrieve additional user information at the API, so the access token is also valid for calling the /userinfo endpoint, which returns the user’s profile information. The intended audience (indicated by the aud claim) for this token is both your custom API as specified by its identifier (such as https://my-api-identifier) and the /userinfo endpoint (such as https://your_domain/userinfo).

https://auth0.com/docs/secure/tokens

Item Description

JSON Web Key (JWK) A JSON object that represents a cryptographic key. The members of the object represent properties of the key, including its value.

JSON Web Key Set (JWKS) A JSON object that represents a set of JWKs. The JSON object MUST have a keys member, which is an array of JWKs

https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets

The JSON Web Key Set (JWKS) is a set of keys containing the public keys used to verify any JSON Web Token (JWT) issued by the authorization server and signed using the RS256 signing algorithm.

https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets

JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key.

https://datatracker.ietf.org/doc/html/rfc7517

JWK Set JSON data structure that represents a set of JWKs.

https://datatracker.ietf.org/doc/html/rfc7517

JSON Web Key (JWK) A JSON object that represents a cryptographic key. The members of the object represent properties of the key, including its value.

https://datatracker.ietf.org/doc/html/rfc7517

JWK Set A JSON object that represents a set of JWKs. The JSON object MUST have a “keys” member, which is an array of JWKs.

https://datatracker.ietf.org/doc/html/rfc7517

each JWK will have members that are key type specific. These members represent the parameters of the key. Section 6 of the JSON Web Algorithms (JWA) [JWA] specification defines multiple kinds of cryptographic keys and their associated members.

https://datatracker.ietf.org/doc/html/rfc7517

The “kty” (key type) parameter identifies the cryptographic algorithm family used with the key, such as “RSA” or “EC”.

https://datatracker.ietf.org/doc/html/rfc7517

The “use” parameter is employed to indicate whether a public key is used for encrypting data or verifying the signature on data.

https://datatracker.ietf.org/doc/html/rfc7517

Values defined by this specification are:

o “sig” (signature) o “enc” (encryption)

https://datatracker.ietf.org/doc/html/rfc7517

The “key_ops” (key operations) parameter identifies the operation(s) for which the key is intended to be used

https://datatracker.ietf.org/doc/html/rfc7517

Values defined by this specification are:

o “sign” (compute digital signature or MAC) o “verify” (verify digital signature or MAC) o “encrypt” (encrypt content) o “decrypt” (decrypt content and validate decryption, if applicable) o “wrapKey” (encrypt key) o “unwrapKey” (decrypt key and validate decryption, if applicable) o “deriveKey” (derive key) o “deriveBits” (derive bits not to be used as a key)

https://datatracker.ietf.org/doc/html/rfc7517

The “alg” (algorithm) parameter identifies the algorithm intended for use with the key. The values used should either be registered in the IANA “JSON Web Signature and Encryption Algorithms” registry established by [JWA]

https://datatracker.ietf.org/doc/html/rfc7517

The “kid” (key ID) parameter is used to match a specific key

https://datatracker.ietf.org/doc/html/rfc7517

The structure of the “kid” value is unspecified. When “kid” values are used within a JWK Set, different keys within the JWK Set SHOULD use distinct “kid” values.

https://datatracker.ietf.org/doc/html/rfc7517

The “x5c” (X.509 certificate chain) parameter contains a chain of one or more PKIX certificates [RFC5280].

https://datatracker.ietf.org/doc/html/rfc7517

The value of the “keys” parameter is an array of JWK values

https://datatracker.ietf.org/doc/html/rfc7517

Notes linking here