Obtaining the JWK URL from Third-Party Identity Providers

Q: How do I find the JWK URL for a third-party Identity Provider (IdP)?

(Keywords: OIDC, JWK URL, Identity Provider, Well-Known URL, Auto-Discovery, JWT Verification)

A: The standard and recommended method to obtain the JWK (JSON Web Key) URL is through the Identity Provider's OIDC Discovery endpoint, also known as the Well-Known URL.

This approach allows applications (like digiRunner) to automatically discover all necessary endpoints without hardcoding them.

Step-by-Step Guide:

Locate the Well-Known URL:

Most OIDC-compliant providers (e.g., Google, Keycloak) expose a standardized discovery URL in the format: .../.well-known/openid-configuration.

Google Example: https://accounts.google.com/.well-known/openid-configuration
Keycloak Example: http://{keycloak-domain}/realms/{realm-name}/.well-known/openid-configuration

Access and Parse the JSON:

Open this URL in a browser or use a tool like curl. You will receive a JSON response containing the provider's metadata.

Find the jwks_uri:

Look for the field named jwks_uri in the JSON response. The value of this field is the JWK URL you need, which points to the public keys used for verifying JWT signatures.

Example JSON snippet:

JSON
{
  "issuer": "...",
  "jwks_uri": "http://localhost:8080/realms/customer-api-realm/protocol/openid-connect/certs",
  ...
}

Integration Tip for digiRunner:

When configuring an external IdP in digiRunner (under Client Management > GTW OAuth 2.0 IdP), you typically only need to provide the Well-Known URL. The system uses Service Discovery to automatically retrieve the jwks_uri and other required endpoints for you.

PreviousJWS Public Key Retrieval and Signature Verification NextSharing JWK Sets Across Multiple Applications

Last updated 17 days ago

Was this helpful?