JWKS and JWK selection
When a JSON Web Key Set provider is configured to be used in a mapping, the keys in the set will be consulted when trying to verify a JWS or when decrypting a JWE.
Since there are potentially multiple JWKS and multiple keys per key set, reducing the number of processed keys by filtering is recommended. By doing so, only a selection of keys is processed for the verification or decryption of the given token instead of all available keys.
The gateway uses a 2-stage filtering process to reduce the number of processed keys:
- Stage 1 – JWKS are filtered by their Issuer information.
- Stage 2 – The individual keys of the selected JWKS are finally filtered according to their key properties.
JSON Web Key Sets (JWKS) can have two sources:
- They can be locally configured.
- They can be configured to be dynamically fetched from a remote source using a Service URL.
Stage 1 – JWKS issuer selection
The Issuer information is used as a restriction to reduce the number of processed JWKS per mapping. Since the issuer information is optional, selecting JWKS is based upon several options.
For all referenced JWKS of a mapping:
- All key sets without issuer information are being selected.
- All key sets with issuer information that matches the
issclaim of the currently processed JWT are being selected. That means key sets will not be considered if the issuer information does not match the iss claim of the processed JWT.
Example:
Given a mapping has 4 providers with and without iss restrictions:
- Local JWKS with
local_issuer_name. - Local JWKS without issuer information.
- Remotely fetched JWKS with
remote_issuer_name. - Remotely fetched JWKS without issuer information.
With this set of information, 4 different types of request scenarios are possible:
Request where JWT iss == local_issuer_name:
- Selected JWKS: 1 + 2 + 4
Request with JWT with iss == remote_issuer_name:
- Selected JWKS: 2 + 3 + 4
Request with JWT without any iss:
- Selected JWKS: 2 + 4
Request where JWT iss does not match any JWKS issuer:
- Selected JWKS: 2 + 4
Stage 2 – Property selection mechanism
Using JWK properties, the key selection filter can further reduce the number of keys that have to be tried for the two JWT types JWS and JWE.
Keys are filtered out when:
- The optional
“use”property does not match the JWT type. - The optional
“key_ops”does not contain the relevant value of the JWT type. - The optional
“alg”property in its header does not match the“alg”property of the JWT. - The JWTs optional
“kid”property in its header does not match the keys“kid”property.
The property selection mechanism only uses a limited number of properties specified for JWT.
The following table adds more detailed information about the properties and their possible values:
Property name | Description | Possible values |
|---|---|---|
"use" |
|
|
"key_ops" |
| Only two values are relevant:
|
"alg" |
|
|
"kid" |
|
|
JWKS format example
A JWKS is a set of JWK and has the following format:
{
"keys": <array_of_jwk>
}Here is an example with two JWK entries:
{
"keys": [
{
"kty": "RSA",
"n": "AJdfpzpkSaMpiyKgsqbr9n1jpnA12vZy8NntcQgxg-oh8N2Lhmdt0ks3i08s4WC7tod6irhXBwdp5QHyRZDODbIzWtJMOk94vZYp9AKJNpoeqdmbe0zLISmzBanRYRNZhMBkRCQCqob2i3urm-RE09HLTT_wvMxLNFuxwTl_gF3hTK4wcjOLkAky8cDbu0NX[...]",
"e": "AQAB",
"kid": "iPz_o1_uG8p-RmrpR-MX3dO9lDvwMPjmZ-WEWvLn8QM"
},
{
"kty": "EC",
"x": "APWNl5usaFe3K3O1tQh3bwlQBKgHPuSHZ9O9NvK7uyK2",
"y": "HwCd34E8zm0hjnT0c71gBmHv--ABAjFDKBu4dI2-o-w",
"crv": "P-256",
"kid": "NqFC-b4dDXt3Tmah70rYEkn8JpuPcOS19avwqyRQgqA",
"alg": "ES256"
}
]
}