The jwks endpoint is described in the OIDC specification:

OpenID Connect Discovery 1.0 incorporating errata set 1 (under OpenID Provider Metadata)

The jwks_uri is the URL of the OpenID Providers JSON Web Key Set JSON Web Key Set (JWK) document. This contains the signing key(s) the client/RP can use to validate signatures from the OpenID Provider. This includes validation the signatures of the various tokens issues by the OpenID Provider.

The specification defines two high level data structures: JWKS and JWK:

JSON Web Key (JWK): A JSON object that represents a cryptographic key. The members of the object represent properties of the key, including its value.

JWK Set: A JSON object that represents a set of JWKs. The JSON object MUST have a "keys" member, which is an array of JWKs.

The document may contain several signing keys, and the client based on the "kid" (Key ID) parameter need to select what key to use for verification.

Endpoint URL

The jwks endpoint URL can be found by looking at the value of the "jwks_uri" key in the openid-configuration.

Typical format of the URL is:

JWKS Endpoint URL - Example format

https://auth.buypass.no/auth/realms/SECURITYDOMAIN/protocol/openid-connect/certs

JWKS Request

Requesting the document is done by a normal HTTP GET request, without the need for any user or client authentication.

Note however that the URL contains reference to the Security Domain.

Example request

Example jwks_uri request

BASEURL="https://auth.buypass.no/auth/realms/SECURITYDOMAIN/protocol/openid-connect"; 

curl -i -w "\n" -H "Content-Type: application/x-www-form-urlencoded" ${BASEURL}/certs

JWKS Respons

The response, in terms of number of active keys and the various JWK parameters may vary depending on the key tope and Security Domain. The response uses the application/json media type.

Example jwks_uri output (two keys)

{
  "keys": [
    {
      "kid": "oQzkkdLlojxj2yM0FaR5DI113i-WAy-gdgg0rk_aIGg",
      "kty": "RSA",
      "alg": "RS256",
      "use": "sig",
      "n": "naXd8csjhsupCwslLApWD1VMiav4I2RS3o_inZMuDFXD59ZwCxG-R77-byjxFBEw3a9SlJRbbmJg2mraL2TxO9rm8bhhKozGx0AefocMqq5cucUSss7y4rCa912m63Tq8HQpmK5M1RLeXU9Kyrmqpzfr90tBMCZwaGYFptaVuLv6Sl77JXx2rJoxUtDiOcamtiJoWckaBsD7FPGUzQ6wUjKDZGjALWh0pj9snhuA-Sb6UKjJE9eDhWa8938EUBuESVwOaDWCW0ivs2QKIe2hyAhcATArC-qE1EehxgX9BVzZ6IYO3W4IqWgAzfNI3Zj8Zi-c6XPPTdxYej35AnCXww",
      "e": "AQAB"
    },
    {
      "kid": "sQbUNpCmxzvrOD3qtDdNM_IFSUNOi1JEirUxx5uaWG4",
      "kty": "RSA",
      "alg": "RS256",
      "use": "sig",
      "n": "o89D21ssux63ehCw3Of6SmE_8RuwFNqq4vtkjRX8-tEPfEoJWY2QSTNqthznDzrlO7cgqE6u5JJaZnofuXEafmNWYKkJkcr7vNmKjdEj3dHnH278qohta9a3PwzwrAnO3enICDgjSZ7vi7-os4V3-phQOcMnyYxyffKlHFK5aVqvIfm55cbXu9hahN7tsJJttWaJc9wPsGo-9dGF9MqmYBROO-RCJ90zR7HJehbVddfzIBrHeQ8z0MIxO-YZfZP0aU9OTSKFBXwJD1QLMfRHS4f8Oj3WqCPjnB4yUtVQaRNzn5oRSLj_JTBL5O6KvBj7c-uS0x60GDWqH5HtargPbw",
      "e": "AQAB"
    }
  ]
}