jwk
JWKs is a standard endpoint that returns the public part of keys used by BankID OIDC provider for signing and decryption. The keys are used by BankID OIDC clients for token signature validations or encryption of login_hint or request parameter.
The standard is described in RFC7517.
BankID OIDC uses two endpoints serving public keys, these are found in the .well-known/openid-configuration settings jwks_uri and jwks_uri_enc.
- The jwks_uri returns keys for validating signatures and encrypting the authorization request's request parameter.
- The jwks_uri_enc returns keys for encrypting the login_hint. This endpoint is deprecated.
Points to consider
- Keys returned from these endpoints will be replaced by new keys at specific intervals, a cache control header in the response defines the (minimum) lifetime of the keys.
- Keys supporting new algorithms may be introduced. Removal of used algorithms will be announced.
- Kid values will not be reused, these will always be unique values identifying one and one key only.
- Keys will contain validation information so that their source, i.e. BankID OIDC, may be verified.
See key rotation for more info.
For validation of the keys themselves, trust certificates may be downloaded here.
Keys for validation of signature and encryption of request object.
| URL | https://<oidc-baseurl>/protocol/openid-connect/certs |
|---|---|
| Request | GET without parameters |
| Authentication | None |
| Success response | 200 OK with JSON structure according to standard. |
| Error response | Applicable http code |
| Example | See below |
The recommended practice for merchants is to use the jwks_uri URL from openid-configuration rather than hardcoding the URL value.
The keys will be rotated, so clients should periodically refresh their values.
A signed JWT contains a "kid" value. Validating signed JWTs is done using the key with the corresponding "kid".
There may be more then one key with "use":"sig" or "use":"enc" in the key set. All keys will have a unique "kid" value.
If, for a given key, the "use" claim is not set, the key can be used for both validating and encryption.
Example keys for validation of signature and encryption of request object
The following example shows a json response for the jwks_uri endpoint, one key for validation of signature, "use":"sig" and one key for encryption, "use":"enc"
{
"keys": [
{
"kty": "RSA",
"e": "AQAB",
"use": "sig",
"kid": "jws-signing-key",
"alg": "RS256",
"n": "n0Tpq4lMuCEhnyvqyoNqK2XsMDXwNZSedeJRoDbumGKvDSKnXNHiTucwdlnHqw_okXTKeBjIQOz_KbEDh2-yMkzkpaHkwPea37KSZPpmqqlYeBsHQ1w4pdK5AIQ-gz07GyAyViSMk7Buhz3RWbzv1XP0wtSg3ZmJ1C1MEcoJuQrq2adbTitgfjESK9o0gwfJxJIXIaDlD0xJOYZ7CNVV91Q9rfRzZvoJm3luqNEFNFgiuYVAAY42WvAhpXfXowAN8jppa5N4WnL8r5R0DoDjFkZmW4od0mLntM_TU6aCshEnL1TY6f0YPwsQ6WwoGpAO5UOMcyxTcvZBx4Bzp6tUDQ"
},
{
"kid":"jJcq_VAA6XDS13OldpyaPnHCXNqJnk_dl8UfFp1QMes",
"kty":"RSA",
"alg":"RS256",
"use":"enc",
"n":"v45jY8UcvAxwSLMiVfERXzPTqa517kFNJHIoxkT5fr1G_llI78SsluK5QrszDNsxXlKin8P80fFTM4D2Dtp0HyMKFIFnCGr7CB-x6qVsRHvhSlUsbSPA_SDSycnkvrR7I0J7b7OYLS8Iw98BfQcFfzplWzEuADJvp2IpG-4xyNkIcT1NnJqTW8b6o9JXywrpZjs9uiOF30YdzhxPFWDRrJsbHCzhvGQnFSS0yoQveRUfTTriFBam5e4peUKyTobfoscN4qiMzJBObgiKufPQVbTmQGst27QrjOz_Bly443a7H7yWCQ6oUFwrJnqGQZrsXEZn6GgiytmOXqf1lAlgIw",
"e":"AQAB",
"x5c":["MIICmTCCAYECBgF3rCEyJjANBgkqhkiG9w0BAQsFADAQMQ4wDAYDVQQDDAVsb2NhbDAeFw0yMTAyMTYxODM0NTJaFw0zMTAyMTYxODM2MzJaMBAxDjAMBgNVBAMMBWxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv45jY8UcvAxwSLMiVfERXzPTqa517kFNJHIoxkT5fr1G/llI78SsluK5QrszDNsxXlKin8P80fFTM4D2Dtp0HyMKFIFnCGr7CB+x6qVsRHvhSlUsbSPA/SDSycnkvrR7I0J7b7OYLS8Iw98BfQcFfzplWzEuADJvp2IpG+4xyNkIcT1NnJqTW8b6o9JXywrpZjs9uiOF30YdzhxPFWDRrJsbHCzhvGQnFSS0yoQveRUfTTriFBam5e4peUKyTobfoscN4qiMzJBObgiKufPQVbTmQGst27QrjOz/Bly443a7H7yWCQ6oUFwrJnqGQZrsXEZn6GgiytmOXqf1lAlgIwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBuydwCmnB68vWOvPiMmaLnXtdhrGG7JSxmbNL1VswVpo6CeKJRugOjvR9w6k7Mzbb1uYRDbLUPfXySxKrYduayvNjR32QhnJhQnhuayOH6aLvr99P6T6fOrJJRcbhsMzS8TJkBDHWDGtFlebp+mJ/GNBxU4+iPD1jtpmrsvhrrlu3how/bTCJ39X40eAfPb6PIrjIWU7nY3G83d4dRaKGxqisixIrsrwdertloWovCBnoKSdGwYGkZgS8CowOPTtTkB6669lS0LUT1xyrw65DKC/x8ViJJe97F0JnEdnowXz8TFKvKm5tCcB6edBI9V35mGAzRc4GE0iH2hM9nFWas"],
"x5t":"zlWQMW9JJ35N_6OcPUiH6_ZtCuM",
"x5t#S256":"be5QZY5cLI1hPFJxjg7LoEO9Q_nDFbRrCypR-ezT3Rw"}
}
Keys for encryption of login_hint (Deprecated)
| URL | https://<oidc-baseurl>/encryption/keys |
|---|---|
| Request | GET without parameters |
| Authentication | None |
| Success response | 200 OK with JSON structure according to standard. |
| Error response | Applicable http code |
| Example | See below |
The recommended practice for merchants is to use the jwks_uri_enc URL from openid-configuration rather than hardcoding the URL value.
The keys may be rotated so clients should periodically refresh their values.
A encrypted JWT must contain a "kid" value. Decrypting encrypted JWTs is done using the key with the corresponding "kid". There may be more then one key with "use":"enc" in the key set.
Encryption keys are used for encryption of data sent to the BankID OIDC provider. The "kid" for the key used must be set in the encrypted JWT's header.
Example key for encryption of login_hint
The following example shows a json response for the jwks_uri_enc endpoint.
{
"keys": [
{
"kty": "EC",
"use": "enc",
"crv": "P-256",
"kid": "encryptkey",
"key_ops": [
"encrypt"
],
"x": "L5TEeQBm2LL16iuTJ1uvDrgcix7BEGVOkLLtPj7uQv8",
"y": "czNN5i6R7sDiZe-pYlw6AA-kyL82zEOc7kU2jwYe6Cc",
"alg": "ECDH-ES"
}
]
}