Validate SLAS JWTs with JWKS
A JSON Web Key Set (JWKS) is a set of cryptographic public keys in a JSON-based format, commonly used to validate the authenticity of JSON Web Tokens (JWTs). Each JWKS key is represented as a JSON Web Key (JWK), which includes the key type (kty
), algorithm (alg
), and key ID (kid
). This format allows servers to securely share their public keys through a JWKS endpoint, which clients can access to validate JWTs without needing the private key used to sign the tokens. This public-private key pair ensures the integrity and trustworthiness of the transmitted JWTs.
JWKS plays a crucial role in distributed systems that rely on token-based authentication, especially for OAuth 2.0 and OpenID Connect protocols. By providing a central, trusted repository for public keys, the use of JWKS simplifies key management and enhances security. Systems using JWKS can dynamically retrieve keys and handle key rotation without service interruptions, making it a preferred method for validating signatures and safeguarding data in modern authentication systems. For additional information, see:
To validate a SLAS JWT using JWKS:
- Fetch the JWKS from the SLAS JWKS endpoint.
- After parsing the JWT's header, retrieve the key ID (
kid
). - Locate the key in your JWKS that matches the
kid
. - Verify the JWT signature using the matching public key.
For a newly created tenant, the SLAS JWKS endpoint typically returns 2 keys. After the first successful rotation of the keys is completed, and from then on, the endpoint returns 3 keys per tenant. This allows you to validate JWTs even if SLAS rotates its signing keys.
To enhance performance and avoid rate limits, consider caching your signing keys. If a token fails to decode, invalidate the cache, retrieve new signing keys, and try the verification again only one time.
Note that kid
“4f3df” is no longer in the JWKS output. The JWT still validates.
Note that kid
“a5fdc” is found in the JWKS output and the signature validates.