Applies to: reference, configuration, jwks

Manual JWKS Download

This document describes how to download and store a file containing the public keys of an OpenID Connect identity issuer.

In normal operation, MOPS 4.0 native services will automatically download the JSON Web token Key Set (JWKS) from the issuer and store it in the configured location on disk. However, if the server is running without internet access and the cached file need to be created or update, here are the steps to be followed.

Identify the identity issuer url

The issuer url can be found from the configuration of your identity provider or from the access token in a request from the web browser.

Examples below will use the issuer url https://adfs.mops-something.com/adfs.

Fetch the OpenID Configuration

Using the issuer url as base path, append .well-known/openid-configuration. This will give you the URL to fetch OpenID configuration. You can get this document simply by entering the URL in your browser.

https://adfs.mops-something.com/adfs/.well-known/openid-configuration

The returned document is in JSON format

{
    "issuer": "https://adfs.mops-something.com/adfs",
    ...
    "jwks_uri": "https://adfs.mops-something.com/adfs/discovery/keys",
    ...
}

Many fields have been removed in the above list. The field of interest is the one named jwks_uri.

Fetch the JSON Web Token Key Set

Using the value of the jwks_uri from the OpenID configuration, you can fetch the keys by entering it in the browser. This will show a JSON document with the set of public keys used by the identity issuer.

{
    "keys": [
        {
            "kty": "RSA",
            "use": "sig",
            "alg": "RS256",
            "kid": "IzofLPZVZ6A2kSc4oXU7T7xwEHk",
            "x5t": "IzofLPZVZ6A2kSc4oXU7T7xwEHk",
            "n": "oWBO7DwIo ... 2WQ",
            "e": "AQAB",
            "x5c": [
                "MIIC4jCCAcqg ... HmDg=="
            ]
        },
        {
            "kty": "RSA",
            "use": "sig",
            "alg": "RS256",
            "kid": "yxzi_HDTCtzOJbeqytObCpQsTY8",
            "x5t": "yxzi_HDTCtzOJbeqytObCpQsTY8",
            "n": "rg-KiAK2FWWUi ... 57Q",
            "e": "AQAB",
            "x5c": [
                "MIIC4jCC ... 7F7AA=="
            ]
        }
    ]
}

The file may look similar to the one above. The example above have been trimmed to not show the long keys.

Save the Key Set in the Key Cache Folder

The file saved in this folder will be named based on the identity issuer.

Example: given an access token with issuer name https://adfs.mops-something.com/adfs. The file saved in the cache will created as:

  • Remove scheme prefix (http:// or https://)
  • Replace path separators (/) with exclamation mark (!).

The above issuer will this way get a cache file named adfs.mops-something.com!adfs.

The file should be saved in the folder identified by setting jwks_cache_folder.