JWK set settings for an OAuth / OIDC client


In order to verify a signature of request objects coming from a client, or to provide encrypted ID tokens to a client, you have to register the client's public key to Authlete for signature verification and/or message encryption.

This article explains how to register a JWK set to settings of an OAuth / OIDC client that is registered to an Authlete service.

Preparing a JWK set

An administrator of the OAuth / OIDC client is to prepare a JWK set including a public key. Note that the key set must not include a private key.

The following example illustrates usage of mkjwk.org service to generate an ES256 key pair, and parameters specified for it. 

  • Key Type: EC (Elliptic Curve)
  • Curve: P-256
  • Key Use: Encryption
  • Algorithm: ES256
  • Key ID: 2

Remove a private key from the generated "Public and Private Keypair Set." For the keypair set in the example above, the following row is to be removed.

            "d": "sy8TQetYGy1_rziNV3HfSDNjAxy8LoYENUXUTjtICYY",

The result is as follows.

    "keys": [
            "kty": "EC",
            "use": "enc",
            "crv": "P-256",
            "kid": "2",
            "x": "sAyjj8n6w-ZyIP-ELpriYlfYADtYDcHSnH6jLDYuR9k",
            "y": "d68kVNyw5ENj5R8QB103oOU6YCaKGXbQseaeHk5GO-Q",
            "alg": "ES256"

This JSON document is to be used as a JWK set of the client's public key.

Registering a JWK set

Register the public key JWK set to the settings of the OAuth / OIDC client.

In Developer Console, add the JWK set to "JWK Set Content" under "JWK Set" tab for the client.

Registering the JWK set for the client

Now the JWK set has been registered for the OAuth / OIDC client.
How did we do with this article?