Public server JWK set

1. Public RSA keys

The Connect2id server publishes its public RSA keys as a JSON Web Key (JWK) set. This is done for the following purposes:

• To enable clients and other parties to verify the authenticity of identity tokens issued by the server.

• To enable clients and other parties to verify the authenticity of JWT-encoded claims returned at the UserInfo endpoint.

• To enable resource servers (web APIs) to verify self-contained (JWT-encoded) access tokens that clients pass to them .

• To encrypt OpenID Connect request objects to the server.

The JWS signatures can be verified using the free Nimbus JOSE+JWT library (Java), or any other library that can handle signed JWTs.

The public keys are exported from the configured JWK pairs and made available at the following URL:

https://[base-server-url]/jwks.json

The JWK set URL can also be obtained from the server discovery endpoint.

2. Web API overview

Resources
/jwks.json [GET]
Representations	Errors
JWK set	404 Not Found 500 Internal Server Error

3. Resources

3.1 /jwks.json

3.1.1 GET

Retrieves the server’s public JWK set.

Success:

• Code: 200

• Content-Type: application/json

• Body: {object} The OpenID provider JWK set.

Errors:

• 404 Not Found
• 500 Internal Server Error

Example request to get the server’s public keys:

GET /jwks.json HTTP/1.1
Host: c2id.com

The response containing a JSON object with a single public RSA keys and its identifier (to enable key roll-over):

HTTP/1.1 200 OK
Content-Type: application/json

{
  "keys" : [ { "e"   : "AQAB",
               "n"   : "kWp2zRA23Z3vTL4uoe8kTFptxBVFunIoP4t_8TDYJrOb7D1iZNDXVeEsYKp6ppmrTZDAgd-cNOTKLd4M39WJc5FN0maTAVKJc7NxklDeKc4dMe1BGvTZNG4MpWBo-taKULlYUu0ltYJuLzOjIrTHfarucrGoRWqM0sl3z2-fv9k",
               "kty" : "RSA",
               "kid" : "1" } ]
}

4. Representations

4.1 OpenID provider JWK set

The server’s public RSA keys (one or more), as specified in JSON Web Keys (JWK).

Each key in the JWK set has a unique identifier (kid). The issued identity and self-contained access tokens issued by the server will specify the identifier of the used key in the JWT kid header parameter.

Example JWK set including a single public RSA key:

{
  "keys" : [ { "e"   : "AQAB",
               "n"   : "kWp2zRA23Z3vTL4uoe8kTFptxBVFunIoP4t_8TDYJrOb7D1iZNDXVeEsYKp6ppmrTZDAgd-cNOTKLd4M39WJc5FN0maTAVKJc7NxklDeKc4dMe1BGvTZNG4MpWBo-taKULlYUu0ltYJuLzOjIrTHfarucrGoRWqM0sl3z2-fv9k",
               "kty" : "RSA",
               "kid" : "1" } ]
}

5. Errors

404 Not Found

The requested resource doesn’t exist.

Example:

HTTP/1.1 404 Not Found

500 Internal Server Error

An internal server error has occurred. Check the Connect2id server logs for details.

Example:

HTTP/1.1 500 Internal Server Error