search

JWKS setup

To securely validate a signed JWT, it is recommended to use JSON Web Key Set (JWKS)arrow-up-right.

The application must ensure that the generated key pair is translated into JSON Web Key (JWK)arrow-up-right format. One or more JWK objects are then offered under a JWKS endpoint: https://YOUR_DOMAIN/path-to/jwks.json.

Because the public keys are now available under a fixed URL, a key can be revoked or rotated with ease.

circle-info

A lot of programming languages have libraries available to simply (semi)automatically offer an RSA key in PEM format as a JWKS endpoint. Look carefully at what is available before implementing this yourself!

circle-info

The use of a fixed path such as https://YOUR_DOMAIN/.well-known/jwks.json is discouraged to make hostile domain takeovers more complicated.

hashtag
Topics

TOP-KT-020 - Uitwisseling publieke sleutelsarrow-up-right

PreviousSigning the JWTNextAccess to Koppeltaal

Last updated