Skip to main content
For Authlete 2.x documentation, see 2.x version.

Preface

This article explains how to register a JWK set for an Authlete service. First, refer to the steps below in order to prepare a JWK set.
This article assumes that you have prepared a JWK set in some way. The following example illustrates usage of mkjwk.org service to generate an ES256 key pair, and parameters specified for it.
  • Key Type: EC (Elliptic Curve)
  • Curve: P-256
  • Key Use: Signing
  • Algorithm: ES256
  • Key ID: 1
mkjwk.org Generating a JWK Set using mkjwk

Registering the JWK set via the Authlete Console

To register the JWK set you prepared, go to your service settings, inside Key Management > JWK Set. There, you will be able to copy the generated “Public and Private Keypair Set” into the JWK Set Content field of the settings. Make sure to save your changes by hitting the Save Changes button at the bottom of the page. Register JWK in service settings JWK Set Content Now the JWK set has been registered in the service. In addition, by adding the authorization server’s endpoint as the JWK set endpoint URI, the jwks_uri value is reflected in the authorization server’s metadata document.

Registering the JWK set via Authlete API

You can also use Authlete’s service management APIs to register the JWK set instead of using the Web console. The following example illustrates how to make a request to the PUT /service/update API to specify the JWK set as a value of “jwks” key. Updating service settings requires an organization access token.

1. Get configuration data about the target service

Use the GET /service/get API to retrieve the configuration data of the service. 
curl -s {Authlete API}/service/get/{Service API Key} \
   -H Authorization: Bearer {OrganizationAccessToken} \
   -H 'Content-type: application/json' \
   > service.json

2. Add a new JWK set to the data

Add the following key/value as a JWK set to the JSON formatted configuration data retrieved above and save as updated-service.json. 
{
  "jwks": {
    "keys": [
      {
        "kty": "EC",
        "d": "eb4BggIO87SUjzP1M56MeXj0NQajWBwpwiDq8yoL5n4",
        "use": "sig",
        "crv": "P-256",
        "kid": "2019-07-25_02",
        "x": "f8a6jovcRTNLDWi3_c62YcW_3ZN-GH1RkiVOZgSgIYI",
        "y": "EB3R8W12a3tgZfNer1RP0DizT3qpRybGw_krfsE0JzY",
        "alg": "ES256"
      }
    ]
  }
}
If you would like to register multiple JWKs, specify which one of the JWKs for signing. For example, if you want a JWK identified by key ID "kid":"2019-07-25_02" to be used for signing ID tokens, you should add the following key/value: 
"idTokenSignatureKeyId": "2019-07-25_02"
(see Service Management API Reference for details on idTokenSignatureKeyId)

3. Update the service with the new configuration data

Use PUT /service/update API to put the new configuration data that includes the JWK set. 
cat updated-service.json | \
    curl -s -X PUT {Authlete API}/service/update/{Service API Key} \
    -H 'Authorization: Bearer {OrganizationAccessToken}' \
    -H 'Content-type: application/json' \
    -d @-
The new “jwks” should be included in the output as follows. 
{
  // ... other service properties ...
  "jwks": "{\"keys\":[
    {
        \"kty\":\"EC\",
        \"d\":\"eb4BggIO87SUjzP1M56MeXj0NQajWBwpwiDq8yoL5n4\",
        \"use\":\"sig\",
        \"crv\":\"P-256\",
        \"kid\":\"2019-07-25_02\",
        \"x\":\"f8a6jovcRTNLDWi3_c62YcW_3ZN-GH1RkiVOZgSgIYI\",
        \"y\":\"EB3R8W12a3tgZfNer1RP0DizT3qpRybGw_krfsE0JzY\",
        \"alg\":\"ES256\"
    }
]}",
  // ... other service properties ...
}

Key Rotation

To perform key rotation without downtime, it is common to update keys using the following procedure.
  1. Add a new signing key to jwks_uri (resulting in a state where multiple keys are included)
  2. Wait until the jwks_uri cache on clients and RPs is invalidated and multiple keys are recognized
  3. Switch the signing key to the new key
  4. Remove the old signing key
For authorization servers using Authlete, steps 1 and 4 correspond to updating the contents of the service’s JWK set (jwks), and step 3 corresponds to updating settings such as the service’s ID token signature key ID (idTokenSignatureKeyId).