IAM uses digital signatures to prove the authenticity and integrity of issued tokens. A recipient of these tokens must properly verify the tokens' digital signatures before extending trust to the tokens.
To validate a signature, the recipient needs a copy of the corresponding public key used by IAM during the signing process. To achieve this, IAM could provide the recipient with a copy of the public key or an IAM URL to query and download a JWKS (JSON Web Key Set) containing all the signing keys IAM currently uses.
IAM already provides a JWKS endpoint as part of the OAuth 2.0/OIDC authorization server. This endpoint includes all keys on the authorization server and remains unchanged. The JWKS endpoint described here is an IAM-wide REST endpoint that can be used independently from OAuth/OIDC. The endpoint's response contains all IAM keys used for signing.
- The JWKS endpoint response includes public keys from the following plugins:
- JWT Ticket RSA Signer Settings
- JWT Ticket EC Signer Settings
- Oauth 2.0 and OIDC Private Key JWT Client Authentication
- OAuth 2.0 and OIDC JWT Access Token Private Key Signature
- OIDC ID Token Private Key Signature