When a JSON Web Key Set provider is configured to be used in a mapping, the keys in the set will be consulted when trying to verify a JWS or when decrypting a JWE.
Since there are potentially multiple JWKS and multiple keys per key set, reducing the number of processed keys by filtering is recommended. By doing so, only a selection of keys is processed for the verification or decryption of the given token instead of all available keys.
- The gateway uses a 2-stage filtering process to reduce the number of processed keys:
- Stage 1 – JWKS are filtered by their Issuer information.
- Stage 2 – The individual keys of the selected JWKS are finally filtered according to their key properties.
- JSON Web Key Sets (JWKS) can have two sources:
- They can be locally configured.
- They can be configured to be dynamically fetched from a remote source using a Service URL.