Public server JWK set
1. Public RSA keys
The Connect2id server publishes its public RSA keys as a JSON Web Key (JWK) set. This is done for the following purposes:
To enable clients and other parties to verify the authenticity of identity tokens issued by the server.
To enable clients and other parties to verify the authenticity of JWT-encoded claims returned at the UserInfo endpoint.
To enable resource servers (web APIs) to verify self-contained (JWT-encoded) access tokens that clients pass to them .
To encrypt OpenID Connect request objects to the server.
The JWS signatures can be verified using the free Nimbus JOSE+JWT library (Java), or any other library that can handle signed JWTs.
The public keys are exported from the configured JWK pairs and made available at the following URL:
https://[base-server-url]/jwks.json
The JWK set URL can also be obtained from the server discovery endpoint.
2. Web API overview
| Resources | |
|---|---|
| Representations | Errors |
3. Resources
3.1 /jwks.json
3.1.1 GET
Retrieves the server's public JWK set.
Success:
Code:
200Content-Type:
application/jsonBody: {object} The OpenID provider JWK set.
Errors:
Example request to get the server's public keys:
GET /jwks.json HTTP/1.1
Host: c2id.com
The response containing a JSON object with a single public RSA keys and its identifier (to enable key roll-over):
HTTP/1.1 200 OK
Content-Type: application/json
{
"keys" : [ { "e" : "AQAB",
"n" : "kWp2zRA23Z3vTL4uoe8kTFptxBVFunIoP4t_8TDYJrOb7D1iZNDXVeEsYKp6ppmrTZDAgd-cNOTKLd4M39WJc5FN0maTAVKJc7NxklDeKc4dMe1BGvTZNG4MpWBo-taKULlYUu0ltYJuLzOjIrTHfarucrGoRWqM0sl3z2-fv9k",
"kty" : "RSA",
"kid" : "1" } ]
}
4. Representations
4.1 OpenID provider JWK set
The server's public RSA keys (one or more), as specified in JSON Web Keys (JWK).
Each key in the JWK set has a unique identifier (kid). The issued identity
and self-contained access tokens issued by the server will specify the
identifier of the used key in the JWT kid header parameter.
Example JWK set including a single public RSA key:
{
"keys" : [ { "e" : "AQAB",
"n" : "kWp2zRA23Z3vTL4uoe8kTFptxBVFunIoP4t_8TDYJrOb7D1iZNDXVeEsYKp6ppmrTZDAgd-cNOTKLd4M39WJc5FN0maTAVKJc7NxklDeKc4dMe1BGvTZNG4MpWBo-taKULlYUu0ltYJuLzOjIrTHfarucrGoRWqM0sl3z2-fv9k",
"kty" : "RSA",
"kid" : "1" } ]
}
5. Errors
404 Not Found
The requested resource doesn't exist.
Example:
HTTP/1.1 404 Not Found
500 Internal Server Error
An internal server error has occurred. Check the Connect2id server logs for details.
Example:
HTTP/1.1 500 Internal Server Error