Sharing JWK Sets Across Multiple Applications

Q: Can multiple applications share a single JWK (JSON Web Key) set for token validation?

A: Yes. Sharing a single JWK set across multiple applications is not only possible but is considered a best practice under the OpenID Connect (OIDC) and OAuth 2.0 frameworks.

Why this works The JWK Set is tied to the Issuer (the Identity Provider, such as a Keycloak Realm or Google), not to individual client applications. Because the IdP uses the same private key(s) to sign tokens for a specific realm or scope, all applications within that scope must use the same corresponding public keys to verify them.

How the Mechanism Works

• Centralized Publishing: The IdP publishes all active public keys at a single, public URL endpoint known as the jwks_uri.

• Auto-Discovery: Applications (or the digiRunner gateway) automatically discover this endpoint using the IdP's Well-Known URL (e.g., /.well-known/openid-configuration), eliminating the need for manual key configuration.

• Token Verification: When a backend service receives a token, it checks the kid (Key ID) in the token header, fetches the shared JWK Set from the jwks_uri, and uses the matching public key to verify the signature.

Real-World Examples

• Keycloak: A Realm (e.g., customer-api-realm) exposes a single jwks_uri. Whether there are 5 or 50 client applications in that realm, they all validate tokens using that same endpoint.

• Google: All applications that integrate with Google Sign-In globally verify tokens using the same Google JWK Set.

Key Benefits

• Centralized Management: The IdP handles key rotation automatically, without requiring changes in your applications.

• Simplified Configuration: You only need to configure the IdP's Issuer URL; the system handles the rest.

• Enhanced Security: Relies on standardized, vetted verification protocols rather than custom key exchange methods.

Keywords: OIDC, OAuth 2.0, JWK Set, Identity Provider, Token Validation, Multi-Application Architecture