Obtaining the JWK URL from Third-Party Identity Providers

Q: How do I find the JWK URL for a third-party Identity Provider (IdP)?

A: The standard and recommended method to obtain the JWK (JSON Web Key) URL is through the Identity Provider's OIDC Discovery endpoint, also known as the Well-Known URL.

This approach allows applications, such as digiRunner, to automatically discover all required endpoints without hardcoding them.

Step-by-Step Guide

1. Locate the Well-Known URL Most OIDC-compliant providers (e.g., Google, Keycloak) expose a standardized discovery URL in the format: .../.well-known/openid-configuration.

   • Google Example: https://accounts.google.com/.well-known/openid-configuration

   • Keycloak Example: http://{keycloak-domain}/realms/{realm-name}/.well-known/openid-configuration

2. Access and Parse the JSON Open this URL in a browser or use a tool like curl. You will receive a JSON response containing the provider's metadata.

3. Find the jwks_uri Look for the field named jwks_uri in the JSON response. Its value is the JWK URL, which points to the public keys used for verifying JWT signatures.

Example JSON snippet

JSON
{
  "issuer": "...",
  "jwks_uri": "http://localhost:8080/realms/customer-api-realm/protocol/openid-connect/certs",
  ...
}

Integration Tip for digiRunner

When configuring an external IdP in digiRunner (under Client Management > GTW OAuth 2.0 IdP), only the Well-Known URL needs to be provided.

The system will automatically retrieve the jwks_uri and other required endpoints via Service Discovery.

Keywords: OIDC, JWK URL, Identity Provider, Well-Known URL, Auto-Discovery, JWT Verification