JSON Web Key Sets (JWKS)
A JSON Web Key Set (JWKS) is a JSON object that represents a set of JWKs (JSON Web Keys). The JSON object MUST have a keys member, which is an array of JWKs.
JWKS contains public keys used to verify any JSON Web Token (JWT) signed with RS256 algorithm.
Structure
A JWK Set is a JSON object that represents a set of JWKs. The JSON object MUST have a 'keys' member:
{
"keys": [
/* Array of JWK values */
]
}
JSON Web Key (JWK)
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key.
Required Member
- kty (Key Type): identifies the cryptographic algorithm family used with the key, such as 'RSA' or 'EC'
- This member MUST be present in a JWK
Optional Common Parameters
- use (Public Key Use): Values include "sig" (signature) or "enc" (encryption)
- key_ops (Key Operations): Array of operations like "sign", "verify", "encrypt", "decrypt", "wrapKey", "unwrapKey"
- alg (Algorithm): identifies the algorithm intended for use with the key
- kid (Key ID): used to match a specific key
X.509 Certificate Parameters
- x5u (X.509 URL): URI referring to X.509 public key certificate resource
- x5c (X.509 Certificate Chain): Array of base64-encoded DER PKIX certificates
- x5t (X.509 SHA-1 Thumbprint): base64url-encoded SHA-1 thumbprint
- x5t#S256 (X.509 SHA-256 Thumbprint): base64url-encoded SHA-256 thumbprint
Example JWK (Elliptic Curve)
{
"kty": "EC",
"crv": "P-256",
"x": "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
"y": "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
"use": "enc",
"kid": "1"
}
Key Signing Algorithms
- RS256: Asymmetric - private key must be used to sign the JWT and a different public key must be used to verify the signature
- HS256: Also supported
Usage
- Auth0 exposes JWKS endpoint at
https://{yourDomain}/.well-known/jwks.json - Uses JSON Web Key (JWK) specification (RFC 7517) for representing cryptographic keys
- Each Auth0 tenant has its own JWKS endpoint
- Currently, Auth0 signs with only one JWK at a time; however, it is important to assume this endpoint could contain multiple JWKs
- Multiple keys appear during key rotation
Security
Access to JWKs containing non-public key material by parties without legitimate access to the non-public information MUST be prevented.
Recommended approach: Use JWE (JSON Web Encryption) with "cty" header value of "jwk+json" for encrypted JWKs, or "jwk-set+json" for encrypted JWK Sets.