The JSON Web Key Set (JWKS) endpoint is a read-only endpoint. This url returns the Identity Server’s public key set in Json web key set format. This contains the signing key(s) the RP uses to validate signatures from the Identity Server. This endpoint is defined loosely by the OpenID Connect Discovery specification.

The endpoint url for the super tenant:

https://localhost:9443/oauth2/jwks

The jwks for the super tenant will be as follows:

{ "keys": [ { "alg": "RS256", "kty": "RSA", "use": "sig", "n": "AJSn-hXW9Zzz9ORBKIC9Oi6wzM4zhqwHaKW2vZAqjOeLlpUW7zXwyk4tkivwsydPNaWUm-9oDlEAB2lsQJv7jwWNsF7SGx5R03kenC-cf8Nbxlxwa-Tncjo6uruEsK_Vke244KiSCHP8BOuHI-r5CS0x9edFLgesoYlPPFoJxTs5", "e": "AQAB", "kid": "d0ec514a32b6f88c0abd12a2840699bdd3deba9d", } ]}

Here if we consider the values one by one: alg : stands for the algorithm for the public key of the related tenant domain. kty : is the public key type. use : is the way that the key is using. Here sig represents the signature e : is the exponent value of the public key n : is the modulus value of the public key kid : is the thumbprint of the certificate. This value is an identifier used in identifying the key to be used to verify the signature. The jwks endpoint for a specific tenant domain will be changed as follows. Here the tenant domain is test.com. https://localhost:9443/t/test.com/oauth2/jwks/ From IS 5.2.0 this jwks endpoint can be used with Wso2 Identity Server.

Originally published at hasanthipurnima.blogspot.com.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store