I have activated the JWKS_URI in my OAuth client (within Keycloak). []
Now, my expectation was that besides the KID an field JWKS_UIR will be part of the JWT for that client. But, I see only KID. The CERTS endpoint works and response with a JWKS Json format.
Is my understanding correct that the JWKS_URI should be in the Token? (see https://www.rfc-editor.org/rfc/rfc8414.html)
From rfc8414.html , in 3.2. Authorization Server Metadata Response
section.
The JWKS_URI is in the Authorization Server Metadata Response
It is response of 3.1. Authorization Server Metadata Request
and request example is
GET /.well-known/oauth-authorization-server HTTP/1.1
Host: example.com
example response
{
"issuer":
"https://server.example.com",
"authorization_endpoint":
"https://server.example.com/authorize",
"token_endpoint":
"https://server.example.com/token",
"token_endpoint_auth_methods_supported":
["client_secret_basic", "private_key_jwt"],
"token_endpoint_auth_signing_alg_values_supported":
["RS256", "ES256"],
"userinfo_endpoint":
"https://server.example.com/userinfo",
"jwks_uri":
"https://server.example.com/jwks.json",
"registration_endpoint":
"https://server.example.com/register",
"scopes_supported":
["openid", "profile", "email", "address",
"phone", "offline_access"],
"response_types_supported":
["code", "code token"],
"service_documentation":
"http://server.example.com/service_documentation.html",
"ui_locales_supported":
["en-US", "en-GB", "en-CA", "fr-FR", "fr-CA"]
}
In the Keycloak, provide this API
http://keycloakhost:keycloakport/auth/realms/{realm}/.well-known/openid-configuration
"jwks_uri" (Certificate endpoint) is it response as following JSON.
{
"issuer": "http://localhost:8080/auth/realms/my-realm",
"authorization_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/auth",
"token_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/token",
"introspection_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/userinfo",
"end_session_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/logout",
"frontchannel_logout_session_supported": true,
"frontchannel_logout_supported": true,
"jwks_uri": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/certs",
"check_session_iframe": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/login-status-iframe.html",
"grant_types_supported": [
"authorization_code",
"implicit",
"refresh_token",
"password",
"client_credentials",
"urn:ietf:params:oauth:grant-type:device_code",
"urn:openid:params:grant-type:ciba"
],
"response_types_supported": [
"code",
"none",
"id_token",
"token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"subject_types_supported": [
"public",
"pairwise"
],
"id_token_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
...
You shows header of JWT In the specification JWT RFC 7519, The example shows only "typ" and "alg" not "jwks_uri"
{"typ":"JWT",
"alg":"HS256"}