Environment
- Access Manager 4.5.x
- Access Manager 5.0.x
Situation
Resolution
- use a JSON Web Key set (JWKS) and not a JSON Web Key (JWK)
- there is as well an online tool as an example which helps to create such a key set at: https://mkjwk.org/
Additional Information
- Access Manager requires a "JSON Web Key set" which is an array of web keys and not s single JWK.
- As defined by RFC 7517
JSON Web Key (JWK) Abstract A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification. - Example:
{
"keys": [
{
"p": "9EA3slYhY88NL3P-Vc1dHQRqwNsBmEZQIEG3v7UYXPJ5ZNgVwhwxpDfdHj-EXF37qvsGbUtE7d8haKcxd0qmrB6CebApjRCWgYLf2-b5xQo7bf1l_vmhKcsZ8U6F6MXJTmxKwM2Fd6ywEKsUEtXEXPsPDOUd-IWpqW6Hy1OHGbU",
"kty": "RSA",
"q": "x__OGqo6mLTiv2coIcRKlVYgs7L5JkSZIwg_CXGbx7yiqcTHFQkey0MBzB_WxThOxnjU9oIhYnjmZYwoIPQDslt_Xs4QDXRyJLjeGLqrTD1Vjn8kP9xc-hZCKo9RN1LgsPqnxGL-dgrFrTgVwKT_xbV_ZzPsjM3FqxkRL98G5kc",
"d": "rl0YT3ngCsztuMhjF2C10V8LwSjtDNwS-qDRH0F0-1j39FH0ll96ewIq0_wIRHkGr51t4ADPDDdV2XbK4RgjKi40iIujUKBNJFlbL7LtBpy50elxaY7Se5NwTK7gHxIUHTeQq_SuZ_qI8jdQD137WfqewOJseJMogfcCxKTWv_us7o_i57rmVHH6ascnG7KvyWWZ8sP31XG-UF67hILf0-6rIGn77ERRhuGKNsfUI3OORp4Z-UHHPrFnc_Q2Vs4craX2wVrI1jJiD0LwQWR7V6vc5k-LO5ndn393oqw1CnYGonbYdEXNA8aiWL_XghRQmObP5D9OS7p3uHnfcSH-2Q",
"e": "AQAB",
"use": "enc",
"kid": "enc-1628843924",
"qi": "5zokSNSYbac4NpjzPJBWxIZXWeO9DI3AoEhjpZgzMT5VaLz8WxWAKtBuT77n7GFFbICtMzMzztH6jeva_uwTe6qJemvmOhvmee6tdeT3Cxlbc2GVCjldVq2RLQfV9nQi2VHHU2e9dpaH2Q24PEqtUU3YySIA59LhVuGNU5dDkss",
"dp": "Rv53ce2ZDPK8yWM0tOnZO7rx8JZ3szQUzBtt9loD99g-srIgOOiLAUl_ivA5X8Oth_go2RG8uktV4Z5fQWZAZd0EXax3l1oP9Rr-SGOti7k6pvC1edRDJOu04a_KOmtq5NGTNNFIDw3xqxae4g6iYchTipL6ECeBtg67h70CktU",
"alg": "RSA1_5",
"dq": "FlqMEcTnCbxl_5irDqMe5vQacZtWZ6WRLC42xXpyO-_kim8ZBUvgqj1SDRud6KszetF0lBzVWGlE7yKsNYqwgxXg9Zq4hph2TY5wHHl4veu5DVU-mvipV7Z3LMSaAkH8JSvO5o9d-5mWoJa9L6wBfnqbw9A050P0jPwfRKd74O8",
"n": "vtH76DlZdn--XND0YlrqDre_Man5PquD52A9Jd1q2oN3UAVOATkPabc9vhF32Q2Rr4oAzR6IATloSeOxfvjS2JQtohCg7Ijwm-gB624K0my2J45wkeS3z-hRFgiLa4jzQO3yYNTUaX2PlTtxb7KwHZLHy9oLh3-n_nWAfx2VbmgoB2SPMIcRlVdtQzuTai4c-kScCNWV4_WAMGaJ5anSKmLH1qjD-EViUqLVMAmpGwlmZx2AyqzusfwgjqsJTD14E-RgY1Er9XjbYq1sMkd_i8OaYiqA9K6wRcW6d__qNL7y_FsTD08vxASZe_pE9awBvodIn2wTT69QXrg50M6_Mw"
}
]
} - Note: using a Resource Server Encryption key allows the client application to decrypt the JWT without having the need to connect to any Tokeninfo EndPoint