Submenu - JWKS Providers

JWK is a JSON representation of cryptographic keys widely used in the context of JWT. A set of such keys is known as JWKS, a JSON Web Key Set. JWKS is also the format used by the gateway to configure verification of access tokens.

When a JSON Web Key Set provider is configured to be used in a mapping, the keys in the set will be consulted when trying to verify a JWS or when decrypting a JWE.

  • The gateway uses a 2-stage filtering process to reduce the number of processed keys:
  • Stage 1 – JWKS are filtered by their Issuer information.
  • Stage 2 – The individual keys of the selected JWKS are finally filtered according to their key properties.

Local JWKS

Local (static) JWKS can be managed in the Local tab:

Local_JWKS Providers
JWKS Provider_example
Name
When adding a new JWKS you should choose and add a self-explanatory provider name here. This provider name will appear in a drop-down list when choosing a JWKS provider for a mapping.
Content
This field holds the JWKS with its individual keys. Simply copy the JWKS content into the text box.
Issuer
This information is used for the first stage of the JWKS filter process. The issuer information is optional.

JWKS without issuer information is less restricted and do potentially matches more often. This can result in a higher number of processed keys.

A fully configured local JWKS may look like the following:

Remote JWKS

When adding a new Remote JWKS Provider configuring settings on the Basic and additional SSL settings are necessary. For security reasons any remote source normally requires a secured connection using hostname verification and a valid SSL certificate/CA chain that can be configured in the SSL tab.

Configured_remote_JWKS Providers
Refresh interval (in seconds)
Here you can choose the polling interval for re-fetching remotely stored JWKS from the Service URL addresses.
  • The JWKS is cached on the gateway.
  • The provider service is invoked whenever the gateway configuration is being loaded or reloaded or when the refresh interval is reached.
  • If the provider service invocation fails, the last JWKS fetched will be used until the service can be invoked successfully again.
Name
When adding a new JWKS you should choose and add a self-explanatory provider name here. This provider name will appear in a drop-down list when choosing a JWKS for a mapping.
Service URL
This field holds the URL from where the JWKS can be fetched. It is the source URL of the key set.
Issuer
This information is used for the first stage of the JWKS filter process. The issuer information is optional.

JWKS without issuer information are less restricted and do potentially match more often. This can result in a higher number of processed keys.

Basic tab:

Remote_JWKS Providers
Name
When adding a new JWKS you should choose and add a self-explanatory provider name here. This provider name will appear in a drop-down list when choosing a JWKS for a mapping.
Service URL
This field holds the URL from where the JWKS can be fetched. It is the source URL of the key set.
Issuer
This information is used for the first stage of the JWKS filter process. The issuer information is optional.

SSL tab:

JWKS remote client ssl certificate
Client certificate
A selectable list of SSL/TLS certificates for this client.
Content of SSL client certificate
Shows the content of the certificate.
Content of CA chain
Shows the chain of trust of the certificate chain.
SSL protocol
The SSL/TLS version which will be used by this virtual host can be set here. If the setting is left empty, the Apache default values will be used. See the Apache mod_ssl documentation for complete documentation.
Cipher suite
List the ciphers that the client is permitted to negotiate. If the setting is left empty, the Apache default will be used. Follow the link to the Apache mod_ssl reference at the end of this article for more information.
  • Restrictions:
  • Cipher-spec strings can be used with all SSL Protocol settings except TLSv1_3.
  • TLSv1.3 cipher names require to set the SSL protocol to TLSv1_3.
Force new session
Checkbox to enable/disable forced restart of SSL/TLS handshake.
Verify host name
Checkbox to disable/enable hostname verification. Default is enabled.
Hostname verification requires a server identity check in combination with a valid CA chain to mitigate man-in-the-middle attacks. Without a CA, the configuration validation will fail. See also CAs for server chain validation.
Allow insecure server certificate verification
Checkbox to enable/disable insecure server certificate verification.
Note that by enabling this option you explicitly allow skipping the hostname and CA server chain validation.
CAs for server chain validation
Certificate chain verification to make sure a given certificate chain is valid, properly signed, and trustworthy. A CA has to be added when Verify host name is enabled, otherwise, the configuration validation will fail.
Content of CA chain
Shows the chain of trust of the certificate chain.

Further information and links