JWS Public Key Retrieval and Signature Verification

Q: How can client applications retrieve the digiRunner Public Key to verify JWS signatures?

(Keywords: JWS Verification, Public Key Endpoint, Signature Validation, digiRunner Security, ssotoken/enccert)

A: Client applications can retrieve the digiRunner public key directly through a dedicated API endpoint provided by the system. This key is essential for validating the authenticity of responses sent by the server.

1. Public Key Endpoint

To obtain the current active public key, your client application should call the following URL:

https://{dgr-ip}:{dgr-port}/dgrv4/ssotoken/enccert

• Configuration: Ensure you replace {dgr-ip}:{dgr-port} (e.g., localhost:18080) with the actual domain/IP address and port of your specific digiRunner deployment.

2. Key Management & Verification Workflow

Understanding the underlying key strategy helps in implementing the verification logic correctly:

• Unified Key Usage: digiRunner employs a unified key strategy, meaning the key used for JWS operations is the exact same key used for generating its own JSON Web Tokens (JWTs).

• Automatic Generation: You do not need to create this key manually. The key pair is automatically generated during the initial installation of the digiRunner system.

• Bidirectional Verification: The JWS process involves a mutual exchange. Just as digiRunner uses your client's public key to verify incoming requests, your client must use the digiRunner public key (obtained from the endpoint above) to verify the signatures on the responses sent back by the server.