logo

JWK set settings for an Authlete service

Table of Contents

JWK set settings for an Authlete service

Preface

This article explains how to register a JWK set for an Authlete service.
First, refer to the steps below in order to prepare a JWK set.

This article assumes that you have prepared a JWK set in some way. The following example illustrates usage of mkjwk.org service to generate an ES256 key pair, and parameters specified for it.

  • Key Type: EC (Elliptic Curve)
  • Curve: P-256
  • Key Use: Signing
  • Algorithm: ES256
  • Key ID: 1
mkjwk.org
Generating a JWK Set using mkjwk

Registering the JWK set via the Authlete Console

To register the JWK set you prepared, go to your service settings, inside Key Management > JWK Set. There, you will be able to copy the generated “Public and Private Keypair Set” into the JWK Set Content field of the settings. Make sure to save your changes by hitting the Save Changes button at the bottom of the page.

Register JWK in service settings
JWK Set Content

Now the JWK set has been registered in the service.

Registering the JWK set via Authlete API

You can also use Authlete’s service management APIs to register the JWK set instead of using the Web console. The following example illustrates how to make a request to the /service/update API to specify the JWK set as a value of “jwks” key.

1. Get configuration data about the target service

Use the /service/get API to retrieve the configuration data of the service.

curl -s {Authlete API}/service/get/{Service API Key} \
   -u {Service Owner API Key}:{Service Owner API Secret} \
   -H 'Content-type: application/json' \
   > service.json

2. Add a new JWK set to the data

Add the following key/value as a JWK set to the JSON formatted configuration data retrieved above and save as updated-service.json.

{
  "jwks": {
    "keys": [
      {
        "kty": "EC",
        "d": "eb4BggIO87SUjzP1M56MeXj0NQajWBwpwiDq8yoL5n4",
        "use": "sig",
        "crv": "P-256",
        "kid": "2019-07-25_02",
        "x": "f8a6jovcRTNLDWi3_c62YcW_3ZN-GH1RkiVOZgSgIYI",
        "y": "EB3R8W12a3tgZfNer1RP0DizT3qpRybGw_krfsE0JzY",
        "alg": "ES256"
      }
    ]
  }
}

If you would like to register multiple JWKs, specify which one of the JWKs for signing. For example, if you want a JWK identified by key ID “kid”:“2019-07-25_02” to be used for signing ID tokens, you should add the following key/value :

"idTokenSignatureKeyId": "2019-07-25_02"

(see Authlete API Reference for details on idTokenSignatureKeyId)

3. Update the service with the new configuration data

Use /service/update API to put the new configuration data that includes the JWK set.

cat updated-service.json | \
    curl -s -X PUT {Authlete API}/service/update/{Service API Key} \
    -u {Service Owner API Key}:{Service Owner API Secret} \
    -H 'Content-type: application/json' \
    -d @-

The new “jwks” should be included in the output as follows.

[...]
"jwks": "{\"keys\":[
    {
        \"kty\":\"EC\",
        \"d\":\"eb4BggIO87SUjzP1M56MeXj0NQajWBwpwiDq8yoL5n4\",
        \"use\":\"sig\",
        \"crv\":\"P-256\",
        \"kid\":\"2019-07-25_02\",
        \"x\":\"f8a6jovcRTNLDWi3_c62YcW_3ZN-GH1RkiVOZgSgIYI\",
        \"y\":\"EB3R8W12a3tgZfNer1RP0DizT3qpRybGw_krfsE0JzY\",
        \"alg\":\"ES256\"
    }
]}"
[...]