Search code examples
jwtkeycloak

JWKS URI missing in JWT based on Keycloak Client


I have activated the JWKS_URI in my OAuth client (within Keycloak). [enter image description here]

Now, my expectation was that besides the KID an field JWKS_UIR will be part of the JWT for that client. But, I see only KID. The CERTS endpoint works and response with a JWKS Json format.

enter image description here

Is my understanding correct that the JWKS_URI should be in the Token? (see https://www.rfc-editor.org/rfc/rfc8414.html)


Solution

  • From rfc8414.html , in 3.2. Authorization Server Metadata Response section.

    The JWKS_URI is in the Authorization Server Metadata Response

    It is response of 3.1. Authorization Server Metadata Request and request example is

         GET /.well-known/oauth-authorization-server HTTP/1.1
         Host: example.com
    

    example response

         {
          "issuer":
            "https://server.example.com",
          "authorization_endpoint":
            "https://server.example.com/authorize",
          "token_endpoint":
            "https://server.example.com/token",
          "token_endpoint_auth_methods_supported":
            ["client_secret_basic", "private_key_jwt"],
          "token_endpoint_auth_signing_alg_values_supported":
            ["RS256", "ES256"],
          "userinfo_endpoint":
            "https://server.example.com/userinfo",
          "jwks_uri":
            "https://server.example.com/jwks.json",
          "registration_endpoint":
            "https://server.example.com/register",
          "scopes_supported":
            ["openid", "profile", "email", "address",
             "phone", "offline_access"],
          "response_types_supported":
            ["code", "code token"],
          "service_documentation":
            "http://server.example.com/service_documentation.html",
          "ui_locales_supported":
            ["en-US", "en-GB", "en-CA", "fr-FR", "fr-CA"]
         }
    

    In the Keycloak, provide this API

    http://keycloakhost:keycloakport/auth/realms/{realm}/.well-known/openid-configuration
    

    "jwks_uri" (Certificate endpoint) is it response as following JSON.

    {
      "issuer": "http://localhost:8080/auth/realms/my-realm",
      "authorization_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/auth",
      "token_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/token",
      "introspection_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/token/introspect",
      "userinfo_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/userinfo",
      "end_session_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/logout",
      "frontchannel_logout_session_supported": true,
      "frontchannel_logout_supported": true,
      "jwks_uri": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/certs",
      "check_session_iframe": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/login-status-iframe.html",
      "grant_types_supported": [
        "authorization_code",
        "implicit",
        "refresh_token",
        "password",
        "client_credentials",
        "urn:ietf:params:oauth:grant-type:device_code",
        "urn:openid:params:grant-type:ciba"
      ],
      "response_types_supported": [
        "code",
        "none",
        "id_token",
        "token",
        "id_token token",
        "code id_token",
        "code token",
        "code id_token token"
      ],
      "subject_types_supported": [
        "public",
        "pairwise"
      ],
      "id_token_signing_alg_values_supported": [
        "PS384",
        "ES384",
        "RS384",
        "HS256",
        "HS512",
        "ES256",
        "RS256",
        "HS384",
        "ES512",
        "PS256",
        "PS512",
        "RS512"
      ],
    
    ...
    

    You shows header of JWT In the specification JWT RFC 7519, The example shows only "typ" and "alg" not "jwks_uri"

        {"typ":"JWT",
          "alg":"HS256"}