JSON Web Key Set (JWKS)¶
The JWKS endpoint provides the public keys used by DIP for signing ID tokens. Clients use these keys to verify the signature of ID tokens received from the token endpoint.
Endpoint¶
Response¶
The endpoint returns a JSON Web Key Set (JWKS) as defined in RFC 7517.
Response Headers¶
| Header | Value |
|---|---|
Content-Type |
application/json |
Cache-Control |
public, max-age=86400 |
Response Body¶
{
"keys": [
{
"kty": "EC",
"use": "sig",
"kid": "123456789",
"crv": "P-256",
"x": "base64url-encoded-x-coordinate",
"y": "base64url-encoded-y-coordinate",
"x5c": ["base64-encoded-cert", "..."]
}
]
}
Key Properties¶
| Property | Description |
|---|---|
kty |
Key type. DIP uses EC (Elliptic Curve) for signing keys. |
use |
Key usage. sig indicates the key is used for signatures. |
kid |
Key ID. The certificate serial number, used to match the key with the kid header in JWTs. |
crv |
Curve name. DIP uses P-256 for ES256 signatures. |
x |
Base64url-encoded x-coordinate of the EC public key. |
y |
Base64url-encoded y-coordinate of the EC public key. |
x5c |
X.509 certificate chain. Contains the signing certificate and its issuing CA certificates. |
Usage¶
When validating an ID token signature:
- Decode the ID token header to get the
kid(key ID) - Fetch the JWKS from this endpoint
- Find the key with the matching
kid - Use the public key to verify the signature
Notes¶
- DIP uses ES256 (ECDSA with P-256 curve) for signing ID tokens
- The signing key is separate from the encryption key (clients provide their own RSA key for encryption)
- Always match keys by
kid- do not assume key order or count