Rate this page

JWKS Endpoint

The JSON Web Key Set (JWKS) endpoint is a read-only endpoint that contains the server’s public signing keys, which clients may use to verify the digital signatures of access tokens and ID tokens issued by the Ping Identity Data Governance Broker. This endpoint is defined loosely by the OpenID Connect Discovery specification. The JWKS and JWK formats are defined by RFC 7517. Some JSON Web Algorithms (JWA) have algorithm-specific fields, and these are specified by RFC 7518.

JWKS request

GET /jwks

Clients must be able to accept a media type of application/json but are not required to authenticate.

Example request:

GET /jwks HTTP/1.1
Accept: application/json
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/json; charset=utf-8
Host: example.com:443

JWKS response

The response is a JSON document with an HTTP status of 200.

Field Type Required? Description
keys array yes An array containing one or more JWK objects.

JWK object fields:

Field Type Provided? Description
kid string always The key name or ID. This corresponds to the name of a Key Pair in the Data Governance Broker configuration.
kty string always The cryptographic algorithm family used by the key. Currently, the only valid value is RSA.
use string always Indicates whether the key is to be used for signing or encryption. Currently, the only valid value is sig.
n string always The modulus value for an RSA public key.
e string always The exponent value for an RSA public key.
x5c array always An array of strings, containing the X.509 certificate chain.

Example response:

HTTP/1.1 200 OK
Content-Length: 3952
Content-Type: application/json
Date: Fri, 27 May 2016 19:53:21 GMT

{
    "keys": [
        {
            "e": "AQAB", 
            "kid": "id-token-keypair", 
            "kty": "RSA", 
            "n": "AKKsY+L6...bmmPFpPp", 
            "use": "sig", 
            "x5c": [
                "MIIFAzCC...8wQs815C"
            ]
        }, 
        {
            "e": "AQAB", 
            "kid": "access-token-keypair", 
            "kty": "RSA", 
            "n": "AK3LejzR...OBGUPJE=", 
            "use": "sig", 
            "x5c": [
                "MIIDAzCC..B0F9cg=="
            ]
        }
    ]
}