I want to implement an OpenID Connect server, I don't know how should I manage JWK for clients? just a single JWK to sing all JWT tokens or generate JWK per client? I appreciate any tutorial link to help me.
Asked
Active
Viewed 196 times
2 Answers
1
Each client should have their own JWK. OpenID Connect Dynamic Client Registration 1.0 defines jwks and jwks_ur as client metadata.
Takahiko Kawasaki
- 18,118
- 9
- 62
- 105
-
But I see [Auth0 private keys are unique per tenant](https://auth0.com/docs/tokens/manage-signing-keys), I think if our app is multi-tenant, we should create a public/private key per tenant, otherwise, just a single public/private key pair is enough. – Mehran Prs Feb 23 '21 at 08:51
0
Ok, I researched about it and what I got is this:
Google uses a single endpoint to get its JWK and verify signatures. no matter for what clients.
Auth0 uses a single private key per tenant, so it uses a single public/private key for all clients in that tenant.
Keycloak uses a single key per realm. so all clients in that realm use that single public key.
My Conclusion If our OP is multi-tenant, public/private keys can be unique per tenant, otherwise uses a single public/private key pair for all clients. Please note we should have key rotation also.
Mehran Prs
- 509
- 4
- 18