jwk

Jwk is a standard endpoint that returns the public part of keys used for signing and if supported, encryption. The keys are later used for token signature validations or encryption of the login_hint. 

BankID OIDC uses two endpoints serving public keys, these are found in the .well-known/openid-configuration settings jwks_uri and jwks_uri_enc.

  • The jwks_uri returns keys for validating signatures.
  • The jwks_uri_enc returns keys for encrypting. 

BankID OIDC may in the future return both key types from the jwks_uri.

Keys for signing

URLhttps://<oidc-baseurl>/protocol/openid-connect/certs
RequestGET without parameters
AuthenticationNone
Success response200 OK with JSON structure according to standard.
Error responseApplicable http code
ExampleSee below

The recommended practice for merchants is to use the jwks_uri URL from openid-configuration rather than hardcoding the URL value. 

The keys may be rotated so clients should periodically refresh their values. 


A signed JWT contains a "kid" value. Validating signed JWTs is done using the key with the corresponding "kid". There may be more then one key with "use":"sig" in the key set. 


Example

The following example shows a json response for the jwks_uri endpoint

Json Response
{
  "keys": [
    {
      "kty": "RSA",
      "e": "AQAB",
      "use": "sig",
      "kid": "jws-signing-key",
      "alg": "RS256",
      "n": "n0Tpq4lMuCEhnyvqyoNqK2XsMDXwNZSedeJRoDbumGKvDSKnXNHiTucwdlnHqw_okXTKeBjIQOz_KbEDh2-yMkzkpaHkwPea37KSZPpmqqlYeBsHQ1w4pdK5AIQ-gz07GyAyViSMk7Buhz3RWbzv1XP0wtSg3ZmJ1C1MEcoJuQrq2adbTitgfjESK9o0gwfJxJIXIaDlD0xJOYZ7CNVV91Q9rfRzZvoJm3luqNEFNFgiuYVAAY42WvAhpXfXowAN8jppa5N4WnL8r5R0DoDjFkZmW4od0mLntM_TU6aCshEnL1TY6f0YPwsQ6WwoGpAO5UOMcyxTcvZBx4Bzp6tUDQ"
    }
  ]
}

Keys for encryption

URLhttps://<oidc-baseurl>/encryption/keys
RequestGET without parameters
AuthenticationNone
Success response200 OK with JSON structure according to standard.
Error responseApplicable http code
ExampleSee below

The recommended practice for merchants is to use the jwks_uri_enc URL from openid-configuration rather than hardcoding the URL value. 

The keys may be rotated so clients should periodically refresh their values. 


A encrypted JWT must contain a "kid" value. Decrypting encrypted JWTs is done using the key with the corresponding "kid". There may be more then one key with "use":"enc" in the key set. 

Encryption keys are used for encryption of data sent to the BankID OIDC provider. The "kid" for the key used must be set in the encrypted JWT's header.


Example

The following example shows a json response for the jwks_uri_enc endpoint

Json Response
{
  "keys": [
    {
      "kty": "EC",
      "use": "enc",
      "crv": "P-256",
      "kid": "encryptkey",
      "key_ops": [
        "encrypt"
      ],
      "x": "L5TEeQBm2LL16iuTJ1uvDrgcix7BEGVOkLLtPj7uQv8",
      "y": "czNN5i6R7sDiZe-pYlw6AA-kyL82zEOc7kU2jwYe6Cc",
      "alg": "ECDH-ES"
    }
  ]
}