JWKS Endpoint

book

Article ID: 142040

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

With the "Encode Json Web Token" assertion is JWT  created and signed. The token should be validated with public key. This public key is to be made available to the developers with JWKS.  JWKS can be created with the "Create Json Web Key" assertion.

Do you have an example of how JWKS Endpoint is created? Which JWKS Endpoint can we provide to the developer?

The customer doesn't want to use JWKS from google. They have their own private keys in CA API Gateway, which they store in JWKS and make available to the users.

How does JWKS work in API Gateway?

With "Create Json Web Key" they can create JWKS.  
How can the user now add a new certificate to JWKS without changing the existing kid (==UUID)?

So how is an existing jwks upgraded?

Environment

Release : 9.4

Component : API GTW ENTERPRISE MANAGER

Resolution

Q. How does JWKS work in API Gateway?
Ans. A JWK Set is a JSON object that represents a set of JWKs. The JSON object MUST have a "keys" member, with its value being an array of JWKs.
User can create a WebAPI and prepare the response to the caller using Create Json Web Key assertion.
It facilitates you to include one or more keys for a selected private keys. Their Key IDs can also be made programmable using literals or context variable expressions.

Q. Do you have an example of how JWKS Endpoint is created?
Ans. Publish a new web api and import the attached(jwks.policy.xml) policy into it and save and activate it. Invoke the service. You can get the lists of the server's public signing keys.

Q. Which JWKS Endpoint can we provide to the developer?
Ans. I am not very clear about this question. But, as you can program the Key IDs, you can give them the required endpoint. Having said that, they must maintain the API for future changes as they do for other APIs.Otherwise, Gateway has no dedicated APIs for managing the JWKS.

Q. How can the user now add a new certificate to JWKS without changing the existing kid (==UUID)?
Ans. You can add a new certificate to JWKS without replacing the older one. From "Create JSON Web Key Properties" window, you can add a new key.

Q. So how is an existing jwks upgraded?
Ans. As earlier mentioned, Gateway has no dedicated APIs for managing the JWKS

Attachments

1576669517771__jwks.policy.xml get_app