JWK, JWKS and how to obtain them
What are JWKS?
JWKs, or JSON Web Keys, are a standardized format for representing cryptographic keys using JSON. They play a crucial role in securing web applications and APIs that utilize JSON Web Tokens (JWTs) for authentication and authorization. Obtaining JWKs involves generating key pairs, extracting keys from trusted certificates, utilizing key management systems, or leveraging web services and identity providers. By adhering to established practices and standards, developers can securely store, exchange, and verify cryptographic keys, ensuring the integrity and security of online communications.
JWK vs JWKS?
| Item | Description |
|---|---|
| JSON Web Key (JWK) | A JSON object that represents a cryptographic key. The members of the object represent properties of the key, including its value. |
| JSON Web Key Set (JWKS) | A JSON object that represents a set of JWKs. The JSON object MUST have a keys member, which is an array of JWKs. |
Getting access to JSON Web Key Sets
When it comes to working with JSON Web Key Sets (JWKS) and verifying the signatures of JSON Web Tokens (JWTs), there are a few key considerations to keep in mind.
To access a JWKS, there are typically two common scenarios you may encounter:
Retrieving JWKS via an Endpoint: In this case, you would need to make a request to an endpoint that contains the jwks_uri key. The value of this key will be a URL that you can use to retrieve the JWKS, which consists of multiple JSON Web Keys.
Direct Endpoint for Specific Key: Alternatively, some authentication services provide a direct endpoint that exposes the specific JSON Web Key associated with your application or URL.
Verifying your JWT signature
There might be a situation where you will obtain a list of multiple JSON Web Keys, needing to identify the right one
used for signing your JWT (JSON Web Token). To do this, you can navigate to a tool like jwt.io and
paste in your JWT. Under the Headers & Tokens section, you should notice a key called kid. This kid serves as
a unique identifier for the JSON Web Key used to sign the JWT. You can then match the kid value with the corresponding
identifier in the JWKS to identify the correct key.
Fetching JWKS from popular Authentication providers
Auth0
Auth0 exposes a JWKS endpoint for each tenant, which is found at https://{yourDomain}/.well-known/jwks.json.
This endpoint will contain the JWK used to verify all Auth0-issued JWTs for this tenant.
Currently, Auth0 signs with only one JWK at a time; however, it is important to assume this endpoint could contain multiple JWKs. As an example, multiple keys can be found in the JWKS when rotating application signing keys.
Read more here.
Okta
Okta signs JWTs using asymmetric encryption (RS256) (opens new window), and publishes the public signing keys in a JWKS (JSON Web Key Set) as part of the OAuth 2.0 and OpenID Connect discovery documents. The signing keys are rotated on a regular basis. The first step to verify a signed JWT is to retrieve the current signing keys.
Follow the guide here.
AWS Cognito
Download and store the corresponding public JSON Web Key (JWK) for your user pool. It is available as part of a JSON Web Key Set (JWKS). You can locate it by constructing the following jwks_uri URI for your environment:
https://cognito-idp.<Region>.amazonaws.com/<userPoolId>/.well-known/jwks.json
Read more here.
Clerk.com
You can fetch the JSON Web Key Sets in three different ways for Clerk:
Via the Backend API in JSON Web Key Set (JWKS) format at the following endpoint
https://api.clerk.dev/v1/jwks.Via the Frontend API in JSON Web Key Set (JWKS) format at the following endpoint
https://<YOUR_FRONTEND_API>/.well-known/jwks.json.If you are planning to use Clerk on a Serverless/Edge Runtime where JWKs caching is challenging, you can use the instance Public Key as an environment variable. The key can be found in
Dashboard > API Keys > JWT Verification Key. Note that the JWT Verification key is not in PEM format, the header and footer are missing, in order to be shorter and single-line for easier setup.
Read more here.
OneLogin
In order to get the JWKS for OneLogin, all you need to do is send a GET request to https://<subdomain>.onelogin.com/oidc/2/signing_keys.
You will need to pass a bearer <access_token> which you can generate using the Generate Token API.
If you have created multiple signing keys you will notice that only the most recently created one has an active status.
The other keys will be in a draining state which means that no additional tokens will be issued using these keys.
Read more here.
SuperTokens
The JWKS endpoint is {apiDomain}/{apiBasePath}/jwt/jwks.json. Here the apiDomain and apiBasePath are values pointing
to the server in which you have initalised SuperTokens using our backend SDK.
Read more here.