JWS Public Key Retrieval and Signature Verification

Q: How can client applications retrieve the digiRunner public key to verify JWS signatures?

A: Client applications can retrieve the currently active public key through a dedicated API endpoint. This key is required to verify JWS signatures on server responses.

Public Key Endpoint

To retrieve the currently active public key, call the following endpoint:

https://{dgr-ip}:{dgr-port}/dgrv4/ssotoken/enccert

Replace {dgr-ip}:{dgr-port} (e.g., localhost:18080) with the actual domain/IP and port of your digiRunner deployment.

Key Management and Verification Flow

The following points describe how the key is used during JWS verification:

Unified key usage: digiRunner uses the same key pair for JWS signing and for generating its own JSON Web Tokens (JWTs).
Automatic key generation: The key pair is generated automatically during initial installation. No manual creation is required.
Client-server verification: While digiRunner verifies incoming requests using the client’s public key, client applications must use the digiRunner public key (retrieved from the endpoint above) to verify JWS signatures on responses returned by the server.

Keywords: JWS Verification, Public Key Endpoint, Signature Validation, /ssotoken/enccert

PreviousJWS Key Management, Configuration, and Rotation NextObtaining the JWK URL from Third-Party Identity Providers

Last updated 6 hours ago

Was this helpful?

hashtagQ: How can client applications retrieve the digiRunner public key to verify JWS signatures?

Q: How can client applications retrieve the digiRunner public key to verify JWS signatures?