The jwks endpoint is described in the OIDC specification:
The jwks_uri is the URL of the OpenID Providers JSON Web Key Set JSON Web Key Set (JWK) document. This contains the signing key(s) the client/RP can use to validate signatures from the OpenID Provider. This includes validation the signatures of the various tokens issues by the OpenID Provider.
The spesification defines two high level data structures: JWKS and JWK:
JSON Web Key (JWK): A JSON object that represents a cryptographic key. The members of the object represent properties of the key, including its value.
JWK Set: A JSON object that represents a set of JWKs. The JSON object MUST have a "keys" member, which is an array of JWKs.
The document may contain several signing keys, and the client based on the "kid" (Key ID) parameter need to select what key to use for verification.
Endpoint URL
The jwks endpoint URL can be found by looking at the value of the "jwks_uri" key in the jwks.
Typical format of the URL is:
https://auth.buypass.no/auth/realms/SECURITYDOMAIN/protocol/openid-connect/certs
JWKS Request
Requesting the document is done by a normal HTTP GET request, without the need for any user or client authentication.
Note hovever that the URL contains reference to the Security Domain.
Example request
BASEURL="https://auth.buypass.no/auth/realms/SECURITYDOMAIN/protocol/openid-connect"; curl -i -w "\n" -H "Content-Type: application/x-www-form-urlencoded" ${BASEURL}/certs
JWKS Respons
The response, in terms of number of active keys and the various JWK parameters may vary depending on the key tope and Security Domain. The response uses the application/json media type.
{ "keys": [ { "kid": "oQzkkdLlojxj2yM0FaR5DI113i-WAy-gdgg0rk_aIGg", "kty": "RSA", "alg": "RS256", "use": "sig", "n": "naXd8csjhsupCwslLApWD1VMiav4I2RS3o_inZMuDFXD59ZwCxG-R77-byjxFBEw3a9SlJRbbmJg2mraL2TxO9rm8bhhKozGx0AefocMqq5cucUSss7y4rCa912m63Tq8HQpmK5M1RLeXU9Kyrmqpzfr90tBMCZwaGYFptaVuLv6Sl77JXx2rJoxUtDiOcamtiJoWckaBsD7FPGUzQ6wUjKDZGjALWh0pj9snhuA-Sb6UKjJE9eDhWa8938EUBuESVwOaDWCW0ivs2QKIe2hyAhcATArC-qE1EehxgX9BVzZ6IYO3W4IqWgAzfNI3Zj8Zi-c6XPPTdxYej35AnCXww", "e": "AQAB" }, { "kid": "sQbUNpCmxzvrOD3qtDdNM_IFSUNOi1JEirUxx5uaWG4", "kty": "RSA", "alg": "RS256", "use": "sig", "n": "o89D21ssux63ehCw3Of6SmE_8RuwFNqq4vtkjRX8-tEPfEoJWY2QSTNqthznDzrlO7cgqE6u5JJaZnofuXEafmNWYKkJkcr7vNmKjdEj3dHnH278qohta9a3PwzwrAnO3enICDgjSZ7vi7-os4V3-phQOcMnyYxyffKlHFK5aVqvIfm55cbXu9hahN7tsJJttWaJc9wPsGo-9dGF9MqmYBROO-RCJ90zR7HJehbVddfzIBrHeQ8z0MIxO-YZfZP0aU9OTSKFBXwJD1QLMfRHS4f8Oj3WqCPjnB4yUtVQaRNzn5oRSLj_JTBL5O6KvBj7c-uS0x60GDWqH5HtargPbw", "e": "AQAB" } ] }