Public server JWK set
1. Public keys
The Connect2id server publishes its public cryptographic keys:
To enable clients to verify the authenticity of issued ID tokens.
To enable clients to verify the authenticity of JWT-encoded UserInfo responses.
To enable clients to verify the authenticity of JWT-secured authorisation responses (JARM).
To enable resource servers (web APIs) to verify self-contained (JWT-encoded) access tokens.
To enable clients to encrypt request objects (JAR) to the server.
To enable clients to encrypt ID token hints to the server.
The public keys are extracted from the configured server JWK set and made available in the same format, as JSON Web Keys (JWK).
The signature validation (JWS) and encryption (JWE) of JWTs can be performed with the open source Nimbus JOSE+JWT library (Java), or any other library that is JWS and JWE compliant.
2. The JWK set URL
It can be found out from the jwks_uri
advertised in the Connect2id server
metadata and has this form:
https://[base-server-url]/jwks.json
3. Web API overview
Resources | |
---|---|
Representations | Errors |
4. Resources
4.1 /jwks.json
4.1.1 GET
Retrieves the Connect2id server's public JWK set.
Header parameters:
[ Issuer ] The issuer URL when issuer aliases are configured, or the issuer URL for a tenant (in the multi-tenant Connect2id server edition). The tenant can be alternatively specified by the Tenant-ID header.
[ Tenant-ID ] The tenant ID (in the multi-tenant Connect2id server edition). The tenant can be alternatively specified by the Issuer header.
Success:
Code:
200
Content-Type:
application/json
Body: {object} The Connect2id server JWK set.
Errors:
Example request to get the server's public keys:
GET /jwks.json HTTP/1.1
Host: c2id.com
Example response with the server public JWK set, containing signing and encryption keys of type RSA, EC and OKP (for EdDSA):
HTTP/1.1 200 OK
Content-Type: application/json
{
"keys": [
{
"kty": "RSA",
"e": "AQAB",
"use": "sig",
"kid": "CXup",
"n": "hrwD-lc-IwzwidCANmy4qsiZk11yp9kHykOuP0yOnwi36VomYTQVEzZXgh2sDJpGgAutdQudgwLoV8tVSsTG9SQHgJjH9Pd_9V4Ab6PANyZNG6DSeiq1QfiFlEP6Obt0JbRB3W7X2vkxOVaNoWrYskZodxU2V0ogeVL_LkcCGAyNu2jdx3j0DjJatNVk7ystNxb9RfHhJGgpiIkO5S3QiSIVhbBKaJHcZHPF1vq9g0JMGuUCI-OTSVg6XBkTLEGw1C_R73WD_oVEBfdXbXnLukoLHBS11p3OxU7f4rfxA_f_72_UwmWGJnsqS3iahbms3FkvqoL9x_Vj3GhuJSf97Q"
},
{
"kty": "EC",
"use": "sig",
"crv": "P-256",
"kid": "yGvt",
"x": "pvgdqM3RCshljmuCF1D2Ez1w5ei5k7-bpimWLPNeEHI",
"y": "JSmUhbUTqiFclVLEdw6dz038F7Whw4URobjXbAReDuM"
},
{
"kty": "EC",
"use": "sig",
"crv": "P-384",
"kid": "9nHY",
"x": "JPKhjhE0Bj579Mgj3Cn3ERGA8fKVYoGOaV9BPKhtnEobphf8w4GSeigMesL-038W",
"y": "UbJa1QRX7fo9LxSlh7FOH5ABT5lEtiQeQUcX9BW0bpJFlEVGqwec80tYLdOIl59M"
},
{
"kty": "EC",
"use": "sig",
"crv": "P-521",
"kid": "tVzS",
"x": "AZgkRHlIyNQJlPIwTWdHqouw41k9dS3GJO04BDEnJnd_Dd1owlCn9SMXA-JuXINn4slwbG4wcECbctXb2cvdGtmn",
"y": "AdBC6N9lpupzfzcIY3JLIuc8y8MnzV-ItmzHQcC5lYWMTbuM9NU_FlvINeVo8g6i4YZms2xFB-B0VVdaoF9kUswC"
},
{
"kty": "OKP",
"use": "sig",
"crv": "Ed25519",
"kid": "27zV",
"x": "0I6olrZGYml7JGusuKJW9G7D0DZ9UormSady9kR7V4Q"
},
{
"kty": "RSA",
"e": "AQAB",
"use": "enc",
"kid": "IHMc",
"n": "lLrhwERiPmq7XOz6Rwk8q4ey_OGcL4P56Ip01mzKMUfysIwo-nUdwDI_9ntYohpvqiTjnrtZOENhhoqne5M4hqpSfBMmCWSvWL_3wa8FanRWd6lPgGdKJ1a3vV0gLxnCbmdho1CSuSszV4736WkjdDhLcXSRN1kWwWbok94FdPD_egCyBY3cwhvuRzmUgE8LDh-VnNRh1BYc7e9yEMublza8qJpW-N5ljHEU0on08X-lsyl4djEac74H7taDcmtchPLYZy0-ZIxgLmosQ2aYIt6xycfPYsm5x9CGetUqhClpLLaTcyTGq_pH4ECdZtkYHcYJM-3q-XDZTqB6wUaggw"
},
{
"kty": "EC",
"use": "enc",
"crv": "P-256",
"kid": "1yFA",
"x": "_-aKZeuwWDv4v89dPGdKtpOuOepc_0qDZDhcv3omzX0",
"y": "Gc5b7muOqbi4QvYJO24a4IqQoOY1pPM69DcpI605Vmw"
},
{
"kty": "EC",
"use": "enc",
"crv": "P-384",
"kid": "TqZ6",
"x": "3Ex0yUSLvhaOriP8U78kZEEJXxkC0oQmwo1zHTe_nhgKx2YPS97-qmDdRMkByxJ9",
"y": "MCosrhjIYP4lkoan45MxAZE3QB6IKau5nZHpQ_qDXH8jgcIo2l3M8wdN6iI08kcW"
},
{
"kty": "EC",
"use": "enc",
"crv": "P-521",
"kid": "h38C",
"x": "AVMBSexPHgq536pZQjN6Si1HAdUdfiW4xrdYzNHR2A9z4zovnKi5xrQ9hWX8QUs4ejVQ3bE9ufhOYL3D7oTwx9Jb",
"y": "AeMeo858k_6ktxNhlpxBSwGL2hmTI1nBeGi2ZrMVl2qzdjOFf-AVFRSsE9DhAD9sWVUrGrzwONbfmqwIlgbjeH7L"
}
]
}
5. Representations
5.1 Server JWK set
The Connect2id server's public keys (one or more), in JWK set format RFC 7517.
Every key in the JWK set has a unique identifier (kid
). The issued signed
JWTs will identify the key in the JWS kid
header parameter.
Example JWK set including a single public signing RSA key:
{
"keys" : [
{
"kty" : "RSA",
"use" : "sig",
"kid" : "P9Zd",
"e" : "AQAB",
"n" : "kWp2zRA23Z3vTL4uoe8kTFptxBVFunIoP4t_8TDYJrOb7D1iZNDXVeEsYKp6ppmrTZDAgd-cNOTKLd4M39WJc5FN0maTAVKJc7NxklDeKc4dMe1BGvTZNG4MpWBo-taKULlYUu0ltYJuLzOjIrTHfarucrGoRWqM0sl3z2-fv9k"
}
]
}
5. Errors
404 Not Found
The requested resource doesn't exist.
Example:
HTTP/1.1 404 Not Found
500 Internal Server Error
An internal server error has occurred. Check the Connect2id server logs for details.
Example:
HTTP/1.1 500 Internal Server Error