Public server JWK set

1. Public keys

The Connect2id server publishes its public cryptographic keys:

  • To enable clients to verify the authenticity of issued ID tokens.

  • To enable clients to verify the authenticity of JWT-encoded UserInfo responses.

  • To enable clients to verify the authenticity of JWT-secured authorisation responses (JARM).

  • To enable resource servers (web APIs) to verify self-contained (JWT-encoded) access tokens.

  • To enable clients to encrypt request objects (JAR) to the server.

  • To enable clients to encrypt ID token hints to the server.

The public keys are extracted from the configured server JWK set and made available in the same format, as JSON Web Keys (JWK).

The signature validation (JWS) and encryption (JWE) of JWTs can be performed with the open source Nimbus JOSE+JWT library (Java), or any other library that is JWS and JWE compliant.

2. The JWK set URL

It can be found out from the jwks_uri advertised in the Connect2id server metadata and has this form:

https://[base-server-url]/jwks.json

3. Web API overview

Resources
Representations Errors

4. Resources

4.1 /jwks.json

4.1.1 GET

Retrieves the Connect2id server's public JWK set.

Success:

Errors:

Example request to get the server's public keys:

GET /jwks.json HTTP/1.1
Host: c2id.com

Example response with the server public JWK set, containing signing and encryption keys of type RSA, EC and OKP (for EdDSA):

HTTP/1.1 200 OK
Content-Type: application/json

{
  "keys": [
    {
      "kty": "RSA",
      "e": "AQAB",
      "use": "sig",
      "kid": "CXup",
      "n": "hrwD-lc-IwzwidCANmy4qsiZk11yp9kHykOuP0yOnwi36VomYTQVEzZXgh2sDJpGgAutdQudgwLoV8tVSsTG9SQHgJjH9Pd_9V4Ab6PANyZNG6DSeiq1QfiFlEP6Obt0JbRB3W7X2vkxOVaNoWrYskZodxU2V0ogeVL_LkcCGAyNu2jdx3j0DjJatNVk7ystNxb9RfHhJGgpiIkO5S3QiSIVhbBKaJHcZHPF1vq9g0JMGuUCI-OTSVg6XBkTLEGw1C_R73WD_oVEBfdXbXnLukoLHBS11p3OxU7f4rfxA_f_72_UwmWGJnsqS3iahbms3FkvqoL9x_Vj3GhuJSf97Q"
    },
    {
      "kty": "EC",
      "use": "sig",
      "crv": "P-256",
      "kid": "yGvt",
      "x": "pvgdqM3RCshljmuCF1D2Ez1w5ei5k7-bpimWLPNeEHI",
      "y": "JSmUhbUTqiFclVLEdw6dz038F7Whw4URobjXbAReDuM"
    },
    {
      "kty": "EC",
      "use": "sig",
      "crv": "P-384",
      "kid": "9nHY",
      "x": "JPKhjhE0Bj579Mgj3Cn3ERGA8fKVYoGOaV9BPKhtnEobphf8w4GSeigMesL-038W",
      "y": "UbJa1QRX7fo9LxSlh7FOH5ABT5lEtiQeQUcX9BW0bpJFlEVGqwec80tYLdOIl59M"
    },
    {
      "kty": "EC",
      "use": "sig",
      "crv": "P-521",
      "kid": "tVzS",
      "x": "AZgkRHlIyNQJlPIwTWdHqouw41k9dS3GJO04BDEnJnd_Dd1owlCn9SMXA-JuXINn4slwbG4wcECbctXb2cvdGtmn",
      "y": "AdBC6N9lpupzfzcIY3JLIuc8y8MnzV-ItmzHQcC5lYWMTbuM9NU_FlvINeVo8g6i4YZms2xFB-B0VVdaoF9kUswC"
    },
    {
      "kty": "OKP",
      "use": "sig",
      "crv": "Ed25519",
      "kid": "27zV",
      "x": "0I6olrZGYml7JGusuKJW9G7D0DZ9UormSady9kR7V4Q"
    },
    {
      "kty": "RSA",
      "e": "AQAB",
      "use": "enc",
      "kid": "IHMc",
      "n": "lLrhwERiPmq7XOz6Rwk8q4ey_OGcL4P56Ip01mzKMUfysIwo-nUdwDI_9ntYohpvqiTjnrtZOENhhoqne5M4hqpSfBMmCWSvWL_3wa8FanRWd6lPgGdKJ1a3vV0gLxnCbmdho1CSuSszV4736WkjdDhLcXSRN1kWwWbok94FdPD_egCyBY3cwhvuRzmUgE8LDh-VnNRh1BYc7e9yEMublza8qJpW-N5ljHEU0on08X-lsyl4djEac74H7taDcmtchPLYZy0-ZIxgLmosQ2aYIt6xycfPYsm5x9CGetUqhClpLLaTcyTGq_pH4ECdZtkYHcYJM-3q-XDZTqB6wUaggw"
    },
    {
      "kty": "EC",
      "use": "enc",
      "crv": "P-256",
      "kid": "1yFA",
      "x": "_-aKZeuwWDv4v89dPGdKtpOuOepc_0qDZDhcv3omzX0",
      "y": "Gc5b7muOqbi4QvYJO24a4IqQoOY1pPM69DcpI605Vmw"
    },
    {
      "kty": "EC",
      "use": "enc",
      "crv": "P-384",
      "kid": "TqZ6",
      "x": "3Ex0yUSLvhaOriP8U78kZEEJXxkC0oQmwo1zHTe_nhgKx2YPS97-qmDdRMkByxJ9",
      "y": "MCosrhjIYP4lkoan45MxAZE3QB6IKau5nZHpQ_qDXH8jgcIo2l3M8wdN6iI08kcW"
    },
    {
      "kty": "EC",
      "use": "enc",
      "crv": "P-521",
      "kid": "h38C",
      "x": "AVMBSexPHgq536pZQjN6Si1HAdUdfiW4xrdYzNHR2A9z4zovnKi5xrQ9hWX8QUs4ejVQ3bE9ufhOYL3D7oTwx9Jb",
      "y": "AeMeo858k_6ktxNhlpxBSwGL2hmTI1nBeGi2ZrMVl2qzdjOFf-AVFRSsE9DhAD9sWVUrGrzwONbfmqwIlgbjeH7L"
    }
  ]
}

5. Representations

5.1 Server JWK set

The Connect2id server's public keys (one or more), in JWK set format RFC 7517.

Every key in the JWK set has a unique identifier (kid). The issued signed JWTs will identify the key in the JWS kid header parameter.

Example JWK set including a single public signing RSA key:

{
  "keys" : [
     {
       "kty" : "RSA",
       "use" : "sig",
       "kid" : "P9Zd",
       "e"   : "AQAB",
       "n"   : "kWp2zRA23Z3vTL4uoe8kTFptxBVFunIoP4t_8TDYJrOb7D1iZNDXVeEsYKp6ppmrTZDAgd-cNOTKLd4M39WJc5FN0maTAVKJc7NxklDeKc4dMe1BGvTZNG4MpWBo-taKULlYUu0ltYJuLzOjIrTHfarucrGoRWqM0sl3z2-fv9k"
     }
  ]
}

5. Errors

404 Not Found

The requested resource doesn't exist.

Example:

HTTP/1.1 404 Not Found

500 Internal Server Error

An internal server error has occurred. Check the Connect2id server logs for details.

Example:

HTTP/1.1 500 Internal Server Error