JWK set settings for an OAuth / OIDC client


In order to verify a signature of request objects coming from a client, or to provide encrypted ID tokens to a client, you have to register the client's public key to Authlete for signature verification and/or message encryption.

This article explains how to register a JWK set to settings of an OAuth / OIDC client that is registered to an Authlete service.

Preparing a JWK set

An administrator of the OAuth / OIDC client is to prepare a JWK set including a public key. Note that the key set must not include a private key.

The following example illustrates usage of mkjwk.org service to generate an ES256 key pair, and parameters specified for it. 

  • Key Type: EC (Elliptic Curve)
  • Curve: P-256
  • Key Use: Encryption
  • Algorithm: ES256
  • Key ID: 2

Remove a private key from the generated "Public and Private Keypair Set." For the keypair set in the example above, the following row is to be removed.

            "d": "sy8TQetYGy1_rziNV3HfSDNjAxy8LoYENUXUTjtICYY",

The result is as follows.

    "keys": [
            "kty": "EC",
            "use": "enc",
            "crv": "P-256",
            "kid": "2",
            "x": "sAyjj8n6w-ZyIP-ELpriYlfYADtYDcHSnH6jLDYuR9k",
            "y": "d68kVNyw5ENj5R8QB103oOU6YCaKGXbQseaeHk5GO-Q",
            "alg": "ES256"

This JSON document is to be used as a JWK set of the client's public key.

Registering a JWK set

Register the public key JWK set to the settings of the OAuth / OIDC client.

In Developer Console, add the JWK set to "JWK Set Content" under "JWK Set" tab for the client. See Client Settings - JWK Set for details.

Registering the JWK set for the client

Now the JWK set has been registered for the OAuth / OIDC client.
How did we do with this article?