- Managing issued tokens granted by each user (obtaining a list of clients, and updating scopes and revoking permissions for a particular client)
- Hybrid Flow: Issuing access tokens with subset of requested scopes
- Authlete's policy on sweeping unused tokens
- Introspection response for expired access token
- Refreshing a refresh token when the grant type is "refresh_token"
- How to specify token(s) on updating its information
- Getting a list of issued access tokens
- Enabling single access token per subject
- Ticket Parameter in Authorization Endpoint
- Changing signing key for ID token
- Client Management
- Error Handling
- Client Authentication
- Userinfo Endpoint
Changing signing key for ID token
This article explains an example on changing a signing key for ID token. In order to have Authlete to sign an ID token with the new key, you may have to configure both a service of Authlete and a client registered to the service.
Register a JWK set document to "JWK Set Content" section in Service Settings.
The following example illustrates usage of mkjwk.org service to generate an ES256 keypair, and parameters specified for it.
- Key Type: Elliptic Curve
- Curve: P-256
- Key Use: Signing
- Algorithm: ES256
- Key ID: 1
Copy the generated document in the "Keypair set" section and paste it to the service's "JWK Set Content" section in "JWK Set" tab. Also add the value of "kid" of this keypair set ("1" in this example) to "ID Token Signature Key ID" section in the same settings page.
In order for the Authlete service to issue an ID token signed with the new key (signature algorithm: ES256), choose "ES256" on "ID Token Signature Algorithm" section in Client Settings.
With the settings above, Authlete will be using the ES256 key (identified by "kid=1") to sign ID tokens for the client.
How did we do with this article?