0

I am writing a simple, single issuer, open ID connect server.

I had planned to have each relying party have its own set of rsa keys for ID token signing.

However, now that I am looking at OIDC discovery and the JWKS enpoint, I don't find mention of a way to parametrize the JWKS endpoint for a given RP.

This leads me to think that it is expected that the OIDC server will use a global set of keys for all the registered RP.

Is this correct ? Should I have a global set of keys, a public JWKS endpoint, and use the same keys for every relying party ? If not correct, how does the discovery/JWKS endpoints can be parametrized ?

Globoplox
  • 55
  • 6

1 Answers1

1

The authorization server is designed to externalise key management from applications. while also providing a key renewal solution. This should enable you to safely recycle token signing keys every quarter or so.

You don't usually need different issuers or token signing keys per relying party. Instead you can use the audience (aud) claim when required, to ensure that tokens for one RP cannot be used by another.

Therefore a set of related apps tend to use the same key(s) from the JWKS. It is possible in larger setups to create multiple issuers and keys, but without care that can adversely affect which apps can call each other with tokens.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24