Understanding JWKS (JSON Web Key Set)
JWKS plays an important role in the verification of JWTs in many authentication protocols like OAuth. In this blog, we will break down JWKS and how it works.
Join the DZone community and get the full member experience.Join For Free
JWTs or JSON Web Tokens are most commonly used to identify authenticated users and validate API requests. Part of this verification process requires the use of cryptographic keys to validate the integrity of the JWT to make sure it has not been tampered with. The set of keys used for this process is called JWKS or JSON Web Key Set. In this blog post, we will go over what JWKS are and how they are used.
What Are JSON Web Keys (JWKS)?
JSON Web Keys (JWKs) are a JSON data structure that represents cryptographic keys. These keys are primarily used for verifying JWTs in OAuth flows. JWKs are designed to be easily exchanged, making them a standardized and interoperable format for representing cryptographic keys.
Structure of the JWKS
A sample JWKS will have the following layout:
"mod": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx 4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2 QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
A JWK consists of a JWK Container Object, which is a JSON object that contains an array of JWK key objects as a member. The values of the JWK Container Object members can change depending on which algorithm is used. The example above contains a single member using the RSA algorithm and has the following members:
- alg: This member identifies the cryptographic algorithm used with the key.
- mod: Contains the modulus value of the RSA public key. It is a base64 encoded
- exp: exponent value for the RSA public key. It is base64 encoded
- kid: The key ID is used to match a specific key. During key rotation, the kid is used to choosing among a set of keys within the JWK.
How Does JWKS Work?
To make sure a JWT has not been tampered with, we need to validate its integrity by verifying the signature. This requires a public key corresponding to the private key used by the Authorization Server to initially sign the JWT. Typically, the JWKS can be retrieved by querying an endpoint exposed by the Authorization Server, known as a “JWKS endpoint.”
Benefits of Using JWKS
- Security: JWKS enables the separation of concerns by centralizing key management. This segregation reduces the risk of exposing critical keys accidentally and is a much safer approach as opposed to having the keys hard coded.
- Scalability: As web applications grow in complexity, managing cryptographic keys in a scalable manner becomes crucial. JWKS provides a standardized way to handle keys, simplifying key distribution and rotation as the application scales.
- Interoperability: JWKS is designed to be easily exchanged across different platforms and services. This interoperability fosters seamless integration between various components of the authentication ecosystem.
Considerations for JWKS Implementation
For most users, you will be using an authentication provider and will not have to deal with setting up your Authorization Server, but if you do decide to implement the flow yourself, here are some tips to ensure the security of your system in regard to JWKS:
- Regular Key Rotation: Frequently rotate the cryptographic keys represented in the JWKS to minimize the impact of potential key compromises.
- Access Control: Restrict access to the JWKS endpoint to only authorized clients and implement appropriate access control mechanisms.
- Secure Key Storage: Store the cryptographic keys securely, employing industry-standard practices like Hardware Security Modules (HSMs) or cloud-based Key Management Services (KMS).
When it comes to authentication, there are a number of terms and protocols thrown around, which can be confusing when you first get started. We hope that through this article, you have a better understanding of JWKS, its relevance to JWTs, and how they are used.
Published at DZone with permission of Joel Coutinho. See the original article here.
Opinions expressed by DZone contributors are their own.