What are JSON Web Key Sets?
Refer to this too to understand how it looks: https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-set-properties.
In addition, refer to this: https://redthunder.blog/2017/06/08/jwts-jwks-kids-x5ts-oh-my/.
Besides, here are some handy commands.
First up, to get the public key from the cert, run:
openssl x509 -pubkey -noout -in <cert_file>
To generate the value of n, run:
openssl rsa -pubin -modulus -noout < public.key
Finallly to get the exponent (e), run:
openssl rsa -pubin -inform PEM -text -noout < public.key
The kid field needs to be some value that uniquely identifies which key was used for encryption. x5t is SHA-1 thumbprint of the leaf cert but is optional and can be skipped.
What good are they?
They are used to put together multiple cert bundles, which could be used to validate auth tokens such as JWS tokens. Many systems including Envoy takes the bundle in JWKS format, and this also works well with SPIFFE/SPIRE type systems.
No comments:
Post a Comment