JWKS & JWA
This content is for v8.x. Switch to the latest version for up-to-date documentation.
JSON Web Key Set used by the authorization server for signing and decryption. The object must be in JWK Set format. All provided keys must be private keys.
Supported key types are:
- RSA
- OKP (Ed25519, Ed448, X25519, X448 sub types)
- EC (P-256, secp256k1, P-384, and P-521 curves)
recommendation: Be sure to follow best practices for distributing private keying material and secrets for your respective target deployment environment.
recommendation: The following action order is recommended when rotating signing keys on a distributed deployment with rolling reloads in place.
- push new keys at the very end of the “keys” array in your JWKS, this means the keys will become available for verification should they be encountered but not yet used for signing
- reload all your processes
- move your new key to the very front of the “keys” array in your JWKS, this means the key will be used for signing after reload
- reload all your processes
enabledJWA
Section titled “enabledJWA”Fine-tune the algorithms the authorization server supports by declaring algorithm values for each respective JWA use
enabledJWA.authorizationEncryptionAlgValues
Section titled “enabledJWA.authorizationEncryptionAlgValues”JWE “alg” Algorithm values the authorization server supports for JWT Authorization response (JARM) encryption
default value:
[ 'A128KW', 'A256KW', 'ECDH-ES', 'RSA-OAEP', 'RSA-OAEP-256', 'dir'](Click to expand) Supported values list
[ // asymmetric RSAES based 'RSA-OAEP', 'RSA-OAEP-256', 'RSA-OAEP-384', 'RSA-OAEP-512', // asymmetric ECDH-ES based 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW', // symmetric AES key wrapping 'A128KW', 'A192KW', 'A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW', // direct encryption 'dir',]enabledJWA.authorizationEncryptionEncValues
Section titled “enabledJWA.authorizationEncryptionEncValues”JWE “enc” Content Encryption Algorithm values the authorization server supports to encrypt JWT Authorization Responses (JARM) with
default value:
[ 'A128CBC-HS256', 'A128GCM', 'A256CBC-HS512', 'A256GCM'](Click to expand) Supported values list
[ 'A128CBC-HS256', 'A128GCM', 'A192CBC-HS384', 'A192GCM', 'A256CBC-HS512', 'A256GCM',]enabledJWA.authorizationSigningAlgValues
Section titled “enabledJWA.authorizationSigningAlgValues”JWS “alg” Algorithm values the authorization server supports to sign JWT Authorization Responses (JARM) with
default value:
[ 'RS256', 'PS256', 'ES256', 'EdDSA'](Click to expand) Supported values list
[ 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'ES256', 'ES256K', 'ES384', 'ES512', 'EdDSA', 'HS256', 'HS384', 'HS512',]enabledJWA.clientAuthSigningAlgValues
Section titled “enabledJWA.clientAuthSigningAlgValues”JWS “alg” Algorithm values the authorization server supports for signed JWT Client Authentication
default value:
[ 'HS256', 'RS256', 'PS256', 'ES256', 'EdDSA'](Click to expand) Supported values list
[ 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'ES256', 'ES256K', 'ES384', 'ES512', 'EdDSA', 'HS256', 'HS384', 'HS512',]enabledJWA.dPoPSigningAlgValues
Section titled “enabledJWA.dPoPSigningAlgValues”JWS “alg” Algorithm values the authorization server supports to verify signed DPoP proof JWTs with
default value:
[ 'ES256', 'EdDSA'](Click to expand) Supported values list
[ 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'ES256', 'ES256K', 'ES384', 'ES512', 'EdDSA',]enabledJWA.idTokenEncryptionAlgValues
Section titled “enabledJWA.idTokenEncryptionAlgValues”JWE “alg” Algorithm values the authorization server supports for ID Token encryption
default value:
[ 'A128KW', 'A256KW', 'ECDH-ES', 'RSA-OAEP', 'RSA-OAEP-256', 'dir'](Click to expand) Supported values list
[ // asymmetric RSAES based 'RSA-OAEP', 'RSA-OAEP-256', 'RSA-OAEP-384', 'RSA-OAEP-512', // asymmetric ECDH-ES based 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW', // symmetric AES key wrapping 'A128KW', 'A192KW', 'A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW', // direct encryption 'dir',]enabledJWA.idTokenEncryptionEncValues
Section titled “enabledJWA.idTokenEncryptionEncValues”JWE “enc” Content Encryption Algorithm values the authorization server supports to encrypt ID Tokens with
default value:
[ 'A128CBC-HS256', 'A128GCM', 'A256CBC-HS512', 'A256GCM'](Click to expand) Supported values list
[ 'A128CBC-HS256', 'A128GCM', 'A192CBC-HS384', 'A192GCM', 'A256CBC-HS512', 'A256GCM',]enabledJWA.idTokenSigningAlgValues
Section titled “enabledJWA.idTokenSigningAlgValues”JWS “alg” Algorithm values the authorization server supports to sign ID Tokens with.
default value:
[ 'RS256', 'PS256', 'ES256', 'EdDSA'](Click to expand) Supported values list
[ 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'ES256', 'ES256K', 'ES384', 'ES512', 'EdDSA', 'HS256', 'HS384', 'HS512',]enabledJWA.introspectionEncryptionAlgValues
Section titled “enabledJWA.introspectionEncryptionAlgValues”JWE “alg” Algorithm values the authorization server supports for JWT Introspection response encryption
default value:
[ 'A128KW', 'A256KW', 'ECDH-ES', 'RSA-OAEP', 'RSA-OAEP-256', 'dir'](Click to expand) Supported values list
[ // asymmetric RSAES based 'RSA-OAEP', 'RSA-OAEP-256', 'RSA-OAEP-384', 'RSA-OAEP-512', // asymmetric ECDH-ES based 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW', // symmetric AES key wrapping 'A128KW', 'A192KW', 'A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW', // direct encryption 'dir',]enabledJWA.introspectionEncryptionEncValues
Section titled “enabledJWA.introspectionEncryptionEncValues”JWE “enc” Content Encryption Algorithm values the authorization server supports to encrypt JWT Introspection responses with
default value:
[ 'A128CBC-HS256', 'A128GCM', 'A256CBC-HS512', 'A256GCM'](Click to expand) Supported values list
[ 'A128CBC-HS256', 'A128GCM', 'A192CBC-HS384', 'A192GCM', 'A256CBC-HS512', 'A256GCM',]enabledJWA.introspectionSigningAlgValues
Section titled “enabledJWA.introspectionSigningAlgValues”JWS “alg” Algorithm values the authorization server supports to sign JWT Introspection responses with
default value:
[ 'RS256', 'PS256', 'ES256', 'EdDSA'](Click to expand) Supported values list
[ 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'ES256', 'ES256K', 'ES384', 'ES512', 'EdDSA', 'HS256', 'HS384', 'HS512',]enabledJWA.requestObjectEncryptionAlgValues
Section titled “enabledJWA.requestObjectEncryptionAlgValues”JWE “alg” Algorithm values the authorization server supports to receive encrypted Request Objects (JAR) with
default value:
[ 'A128KW', 'A256KW', 'ECDH-ES', 'RSA-OAEP', 'RSA-OAEP-256', 'dir'](Click to expand) Supported values list
[ // asymmetric RSAES based 'RSA-OAEP', 'RSA-OAEP-256', 'RSA-OAEP-384', 'RSA-OAEP-512', // asymmetric ECDH-ES based 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW', // symmetric AES key wrapping 'A128KW', 'A192KW', 'A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW', // direct encryption 'dir',]enabledJWA.requestObjectEncryptionEncValues
Section titled “enabledJWA.requestObjectEncryptionEncValues”JWE “enc” Content Encryption Algorithm values the authorization server supports to decrypt Request Objects (JAR) with
default value:
[ 'A128CBC-HS256', 'A128GCM', 'A256CBC-HS512', 'A256GCM'](Click to expand) Supported values list
[ 'A128CBC-HS256', 'A128GCM', 'A192CBC-HS384', 'A192GCM', 'A256CBC-HS512', 'A256GCM',]enabledJWA.requestObjectSigningAlgValues
Section titled “enabledJWA.requestObjectSigningAlgValues”JWS “alg” Algorithm values the authorization server supports to receive signed Request Objects (JAR) with
default value:
[ 'HS256', 'RS256', 'PS256', 'ES256', 'EdDSA'](Click to expand) Supported values list
[ 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'ES256', 'ES256K', 'ES384', 'ES512', 'EdDSA', 'HS256', 'HS384', 'HS512',]enabledJWA.userinfoEncryptionAlgValues
Section titled “enabledJWA.userinfoEncryptionAlgValues”JWE “alg” Algorithm values the authorization server supports for UserInfo Response encryption
default value:
[ 'A128KW', 'A256KW', 'ECDH-ES', 'RSA-OAEP', 'RSA-OAEP-256', 'dir'](Click to expand) Supported values list
[ // asymmetric RSAES based 'RSA-OAEP', 'RSA-OAEP-256', 'RSA-OAEP-384', 'RSA-OAEP-512', // asymmetric ECDH-ES based 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW', // symmetric AES key wrapping 'A128KW', 'A192KW', 'A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW', // direct encryption 'dir',]enabledJWA.userinfoEncryptionEncValues
Section titled “enabledJWA.userinfoEncryptionEncValues”JWE “enc” Content Encryption Algorithm values the authorization server supports to encrypt UserInfo responses with
default value:
[ 'A128CBC-HS256', 'A128GCM', 'A256CBC-HS512', 'A256GCM'](Click to expand) Supported values list
[ 'A128CBC-HS256', 'A128GCM', 'A192CBC-HS384', 'A192GCM', 'A256CBC-HS512', 'A256GCM',]enabledJWA.userinfoSigningAlgValues
Section titled “enabledJWA.userinfoSigningAlgValues”JWS “alg” Algorithm values the authorization server supports to sign UserInfo responses with
default value:
[ 'RS256', 'PS256', 'ES256', 'EdDSA'](Click to expand) Supported values list
[ 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'ES256', 'ES256K', 'ES384', 'ES512', 'EdDSA', 'HS256', 'HS384', 'HS512',]