Description

Obtains TRIDENT's public keys. Currently, only the OpenID Connect ID token signature keys are obtained (the current and the previous key). TRIDENT generates these keys automatically and rotates them daily.

After receiving an ID token as a response to the obtain a token operation, to verify the signature of the ID token, the application must first obtain TRIDENT's public signature key using this operation. Each key has a kid identifier. The value of kid is included in the header of the ID token and in each of the public keys returned in the response (the current and the previous keys). To verify the signature of the ID token, the application must use the public key whose kid matches that included in the header of the ID token.

We recommend that the application keeps the last public key used in a local cache along with its kid and use this key in the cache to verify the signature of the following ID tokens with the same kid. When the application receives a kid that does not match that in its cache, it must re-invoke this endpoint to obtain the new key.

In addition to verifying the signature, the application must perform other verifications on the ID token before considering it valid, such as checking the value of the aud (audience) claim. See the OpenID Connect specification for more information.

Request

GET /trustedx-authserver/oauth/keys

Authorization

This operation requires no type of authorization.

Example

GET /trustedx-authserver/oauth/keys HTTP/1.1
Host: trustedx.demo.com:443

Response

Status-Line

HTTP/1.1 200 OK

Content-Type Header

Content-Type: application/json

Body

The body of the response contains the JSON representation of a JWK set (see [RFC 7517] ). The JWK set normally includes two keys (the current and the previous signature keys), although the first time it is used in the operation only contains one.

{
   "keys": [
      {
         "kid": {string},
         "kty": "RSA",
         "alg": "RS256",
         "use": "sig",
         "key_ops": {array},
         "e": {string},
         "n": {string}
      },
      ...
   ]
}

Property	Description
`kid`	Identifier of the key. This field is also included in the header of the ID tokens signed with this key.
`kty`	Key type. Fixed as RSA.
`alg`	Signature algorithm with which the key is used. Fixed as `RS256` (RSA with SHA-256).
`use`	Use of the key. Fixed as `sig` (signature).
`key_ops`	Operations for which the key can be used. The value of this field is an array of strings. This field supports two values: For the current signature key, this field contains the values `sign` and `verify`. These values specify that TRIDENT is using the key for signing and also that the applications can use the key for verifying signatures. For the previous signature key, this field only includes the `verify` value. TRIDENT no longer uses this key for signing, but applications can continue to use it to verify signatures. Note The applications must not use this field to determine which is the current signature key any verify the signature of the ID token because, even when the ID token was just issued by TRIDENT, the key could have been rotated just afterwards. The applications must always use the key identifier (the `kid` property) to select the key to use for verification.
`e`, `n`	Representation of the RSA public key (module and exponent). This is a 2048 bit key.

Example

Below is an example of a response to this operation. Ellipses have been included in the values of some fields to facilitate reading.

HTTP/1.1 200 OK
Content-Type: application/json
 
{
   "keys": [
      {
         "kid": "5de7...36b1",
         "kty": "RSA",
         "alg": "RS256",
         "use": "sig",
         "key_ops": [ "sign", "verify" ],
         "e": "AQAB",
         "n": "stUxafsnMzNBwUmcahF0Dh1tEULGCF9..."
      },
      {
         "kid": "d0f3...406d",
         "kty": "RSA",
         "alg": "RS256",
         "use": "sig",
         "key_ops": ["verify" ],
         "e": "AQAB",
         "n": "sD--6u8VOEEx3IiwMzSsJ2VwTToBEo9c..."
      }
   ]
}