Server JWK set

1. Public keys

The Connect2id server publishes its public cryptographic keys:

To enable clients and others to verify the authenticity of ID tokens issued by the server.
To enable clients and others to verify the authenticity of JWT-encoded UserInfo responses from the server.
To enable resource servers (web APIs) to verify self-contained (JWT-encoded) access tokens issued by the server.
To enable clients to encrypt OpenID Connect request objects (JAR) to the server.
To enable clients to encrypt ID token hints to the server.

The public keys are extracted from the configured server JWK set and made available in the same format, as JSON Web Keys (JWK).

The signature validation (JWS) and encryption (JWE) of JWTs can be performed with the free Nimbus JOSE+JWT library (Java), or any other library that is JWS and JWE compliant.

2. The JWK set URL

The JWK set URL can be found out from the server metadata endpoint and looks like this:

https://[base-server-url]/jwks.json

3. Web API overview

Resources
/jwks.json [GET]
Representations	Errors
JWK set	404 Not Found 500 Internal Server Error

4. Resources

4.1 /jwks.json

4.1.1 GET

Retrieves the server’s public JWK set.

Success:

Code: 200
Content-Type: application/json
Body: {object} The OpenID provider JWK set.

Errors:

404 Not Found
500 Internal Server Error

Example request to get the server’s public keys:

GET /jwks.json HTTP/1.1
Host: c2id.com

The response containing a JSON object with a single public RSA keys and its identifier (to enable key roll-over):

HTTP/1.1 200 OK
Content-Type: application/json

{
  "keys" : [ { "e"   : "AQAB",
               "n"   : "kWp2zRA23Z3vTL4uoe8kTFptxBVFunIoP4t_8TDYJrOb7D1iZNDXVeEsYKp6ppmrTZDAgd-cNOTKLd4M39WJc5FN0maTAVKJc7NxklDeKc4dMe1BGvTZNG4MpWBo-taKULlYUu0ltYJuLzOjIrTHfarucrGoRWqM0sl3z2-fv9k",
               "kty" : "RSA",
               "kid" : "1" } ]
}

5. Representations

5.1 Server JWK set

The server’s public RSA keys (one or more), as specified in JSON Web Keys (JWK).

Each key in the JWK set has a unique identifier (kid). The ID and self-contained access tokens issued by the server set the identifier of the used key in the JWT kid header parameter.

Example JWK set including a single public RSA key:

{
  "keys" : [ { "e"   : "AQAB",
               "n"   : "kWp2zRA23Z3vTL4uoe8kTFptxBVFunIoP4t_8TDYJrOb7D1iZNDXVeEsYKp6ppmrTZDAgd-cNOTKLd4M39WJc5FN0maTAVKJc7NxklDeKc4dMe1BGvTZNG4MpWBo-taKULlYUu0ltYJuLzOjIrTHfarucrGoRWqM0sl3z2-fv9k",
               "kty" : "RSA",
               "kid" : "1" } ]
}

5. Errors

404 Not Found

The requested resource doesn’t exist.

Example:

HTTP/1.1 404 Not Found

500 Internal Server Error

An internal server error has occurred. Check the Connect2id server logs for details.

Example:

HTTP/1.1 500 Internal Server Error