HID Authentication Service Public Server JWK Set
The HID Authentication Service server publishes its public keys as a JSON Web Key Set (JWKS). This enables clients to:
-
Validate identity tokens issued by the server (as specified in the OpenID Connect Core specifications - section 3.1.3.7)
-
Validate JWT-encoded claims returned at the userInfo endpoint
-
Encrypt JWT request objects to authentication endpoint (as specified in the OpenID Connect Core specifications - section 6)
The public keys are available at the following URL:
https://[base-server-url]/{tenant}/authn/jwks [GET]
The JWK set URL is referenced in the jwks_uri claim from the metadata published at the discovery endpoint.
Sample request to get the server’s public keys:
GET https://[base-server-url]/{tenant}/authn/jwks HTTP/1.1
Sample response
HTTP/1.1 200 OK
Content-Type: application/json
{
"keys": [{
"kty": "RSA",
"x5t#S256": "ZrPsquD9bQgIOWXKMToyhDnsVW3CL9g2r33yXLrUrZE",
"e": "AQAB",
"use": "sig",
"kid": "1529070049824",
"x5c": ["MIIDZjCCAk6gAwIBAgIGAWQDrVogMA0GCSqGSIb3DQEBCwUAMFcxEzARBgNVBAsTCk9OTElORUJBTksxEzARBgNVBAoTCkhJRCBHbG9iYWwxKzApBgNVBAMTIihPTkxJTkVCQU5LKSBBY3RpdklEIElEUCBTaWduYXR1cmUwHhcNMTgwNjE0MTM0MDQ5WhcNMjMwNjE1MTM0MDQ5WjBXMRMwEQYDVQQLEwpPTkxJTkVCQU5LMRMwEQYDVQQKEwpISUQgR2xvYmFsMSswKQYDVQQDEyIoT05MSU5FQkFOSykgQWN0aXZJRCBJRFAgU2lnbmF0dXJlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArAoa+Ezg2B3HDSVodJYrsRwuKPwsPfxZOU3vuwX0X48rI2h\/t\/fYt7lZSBOaSYNEUooZvgV9j\/9eDPIG4NoEoO40BtVir+cWU+QkfNrMt0MHT43K2nExTzCJXddD0fAXxnOkBZRpmbBvfJEn3CTPegfGZms+H57hIkdsHz1XA9d9HNC8AKjlnDPkyG9CSX1WtqG5gcB0AsyYuNy4A\/TYvsKCKrqs54kkvrNXpCfCKZOEpFnbc3pQq6Kl3sS\/3d+ccELWJ4Up2ZpsAq455F4LOVcpi7w5+zmHzgpnl5RfzPPQ+Hts9VBWTGOuyShNQbBYjUre3ymj9filIW86uLEznwIDAQABozgwNjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB\/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAP7qE\/W+VF5ASAxGKwqXlP8J39GpFqvKiy+4lJHoFnLfEaOWWTqKCMZBojWMfZHqy0jS2ONVg9z13mJsaTkYFV507FxKHh4jLD98ZZHWKrWXjSJyDfGIeH1HkoqxPlEGGjhPB05EQW4pponG8JWa6ZV2dGTJF1cWb0c3AalxWv8MKzEKJdLkGC8MCzvS5R5iRWLUhK\/gp0UUMV5RD5TYLgFHdmH52QEW7QdNC+VsYYv1xHP2kWVDDaRqfXrgQp4IrW96ecFGLzmGXVX5hcxNR1GTESfLS90MtMOVmbN1rcw4wWI0syYRd7QdISKlS0FH6qp72xEo\/veCc68bbfWMDgw=="],
"alg": "RS256",
"n": "rAoa-Ezg2B3HDSVodJYrsRwuKPwsPfxZOU3vuwX0X48rI2h_t_fYt7lZSBOaSYNEUooZvgV9j_9eDPIG4NoEoO40BtVir-cWU-QkfNrMt0MHT43K2nExTzCJXddD0fAXxnOkBZRpmbBvfJEn3CTPegfGZms-H57hIkdsHz1XA9d9HNC8AKjlnDPkyG9CSX1WtqG5gcB0AsyYuNy4A_TYvsKCKrqs54kkvrNXpCfCKZOEpFnbc3pQq6Kl3sS_3d-ccELWJ4Up2ZpsAq455F4LOVcpi7w5-zmHzgpnl5RfzPPQ-Hts9VBWTGOuyShNQbBYjUre3ymj9filIW86uLEznw"
},
{
"kty": "RSA",
"x5t#S256": "r5cIwQA2g_C7Vc6TOi_UdPk3kmamQSieEAcFcwKO5YI",
"e": "AQAB",
"use": "enc",
"kid": "1529070050980",
"x5c": ["MIIDZzCCAk+gAwIBAgIGAWQDrV6kMA0GCSqGSIb3DQEBCwUAMFgxEzARBgNVBAsTCk9OTElORUJBTksxEzARBgNVBAoTCkhJRCBHbG9iYWwxLDAqBgNVBAMTIyhPTkxJTkVCQU5LKSBBY3RpdklEIElEUCBFbmNyeXB0aW9uMB4XDTE4MDYxNDEzNDA1MFoXDTIzMDYxNTEzNDA1MFowWDETMBEGA1UECxMKT05MSU5FQkFOSzETMBEGA1UEChMKSElEIEdsb2JhbDEsMCoGA1UEAxMjKE9OTElORUJBTkspIEFjdGl2SUQgSURQIEVuY3J5cHRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCV6SMyRNJJmaBW4gXH9eEQbcBLpYdHV5hj\/rmGfGoa7ylvdK4GiuTrWCkRYwel2p9PlsJnC5AAWjvIFavU8iIUZ5Np8CIDy+L1Gewcf659V+MmzU8mgLRWdQ6ovYFXi8UWbOykF\/Ze6GVYXJ3SjoXk0U9hdWOvpjAJ6Q7l8G+8TpPb7LHlqZQdES5YUkkqTQSbpytPD3AGVmBD3vmFN622II39AZQgenAYifiivMFuzUjupnkUhmAPqdqSwg9t6cIrvzjJRddh5KZzhH9NeAebfqx7iyiIr4i0GJJY3VyANXO8bBTT8644JHNQugA+hep2fpN+G5tzFYYi1HmKGq3BAgMBAAGjNzA1MAwGA1UdEwEB\/wQCMAAwDgYDVR0PAQH\/BAQDAgQwMBUGA1UdJQQOMAwGCisGAQQBgjcKAwQwDQYJKoZIhvcNAQELBQADggEBAE2gH8hoJHZ94g9Ec8WgtDtoGxk5iGKt6xFRZbBv84DGltTObUclD4VgoiI9zBodYuAWxbXaQxtQBsq5SBQfwGWWh1iu5T7VlmD\/dDs8InBPc3QX63Z364oPAHOLZTPPgj5ewrZ1PWeE2+xP32D2IcYzbvhrDcYTp9OmMIFGYJQh31VuJDsjkIARDj9AaS0KfmqKGlM+B3Kn2y8ARdgAmqDwfYaBTavO46TfDkQ+dEtv8dodBsLLSvoZeBUcJF\/mH7B3YGqn4Rb6Z\/KcbweuKOn5C8wNi2p\/frwCggra4+IXA4OCf+FDBxIXgz5PomrrfoGlmt86Nw6vMKvgI35kJw0="],
"alg": "RS256",
"n": "lekjMkTSSZmgVuIFx_XhEG3AS6WHR1eYY_65hnxqGu8pb3SuBork61gpEWMHpdqfT5bCZwuQAFo7yBWr1PIiFGeTafAiA8vi9RnsHH-ufVfjJs1PJoC0VnUOqL2BV4vFFmzspBf2XuhlWFyd0o6F5NFPYXVjr6YwCekO5fBvvE6T2-yx5amUHREuWFJJKk0Em6crTw9wBlZgQ975hTettiCN_QGUIHpwGIn4orzBbs1I7qZ5FIZgD6naksIPbenCK784yUXXYeSmc4R_TXgHm36se4soiK-ItBiSWN1cgDVzvGwU0_OuOCRzULoAPoXqdn6TfhubcxWGItR5ihqtwQ"
}
]
}
The key with "use": "enc" contains an RSA key and X.509 certificate chain (“x5c”) to encrypt request data (for example, the request object, sent by the client).
Possible error responses are:
Code | Label | Possible Errors |
---|---|---|
|
|
invalid_request |
See also: