JSON Web Key Set (JWKS)
2. JSON Web Key Set (JWKS) Settings
In IBM Security Verify Access, the user is allowed to create multiple keystores to arrange their personal or signer keys.
For IBM Security Verify Access OIDC provider implementation, use the following settings:
- Create two
keystores- one contains keys that are related to JWT signing and the other contains keys that are related to JWT encryption. Read about key management. - Specify the keystore names in the
signing_keystoreandencryption_keystore - Public key of personal keys under the
signing_keystore/personalis published in/jwksendpoint withuse=sig - Public key of personal keys under the
encryption_keystore/personalis published in/jwksendpoint withuse=enc
| Name | Description | Valid Value | Mandatory | Default |
|---|---|---|---|---|
| signing_keystore | Keystore name that contains keys that are related to JWT signing and signature validation. | string | Yes | |
| encryption_keystore | Keystore name that contains keys that are related to JWT encryption and decryption. | string | Yes |
Apart from the usage shown above, signing_keystore and encryption_keystore are used as the default keystore to validate request object if jwks_uri is not configured and to encrypt the outgoing JWT if the configuration is missing. To validate this JWT, the system looks for signer key under signing_keystore with the same name that matches the kid header.
jwks: # JSON Web Key Set (JWKS) Settings
signing_keystore: signing_keystore # Keystore name containing keys related to JWT signing/signature validation.
encryption_keystore: encryption_keystore # Keystore name containing keys related to JWT encryption/decryption.
Updated about 2 years ago