How do I create JWKS? #654

amitava82 · 2024-03-14T07:00:10Z

amitava82
Mar 14, 2024

I'm trying to figure out how to generate JWKS. So far all the examples I could find use node-jose library.

  const { publicKey, privateKey } = await generateKeyPair('RS256', {
    extractable: true,
  });
  const keys = {
    publicKey: await exportJWK(publicKey), 
    privateKey: await exportJWK(privateKey),
  };
  fs.writeFileSync('keys.json', JSON.stringify(keys, null, 2));
  
  // How do I generate jwks so jwt can be verified using `createRemoteJWKSet` for example?

Answered by big-kahuna-burger

Mar 14, 2024

import fs from 'node:fs/promises'
import { generateKeyPair, exportJWK } from 'jose'
import Fastify from 'fastify'

const keyFile = './keys.json'

const fileExists = await fs
  .stat(keyFile)
  .then(() => true)
  .catch(() => false)

if (!fileExists) {
  const { privateKey } = await generateKeyPair('RS256')
  await fs.writeFile(keyFile, JSON.stringify(await exportJWK(privateKey)))
}

const { kty, n, e } = JSON.parse(await fs.readFile(keyFile, 'utf-8'))
const publicKey = { kty, n, e }

const fastify = Fastify({
  logger: true
})

fastify.get('/jwks', async (request, reply) => {
  reply.send({
    keys: [publicKey]
  })
})

fastify.listen({ port: 3042 }, (err, address) => {
  if (err) {
    f…

View full answer

big-kahuna-burger · 2024-03-14T16:23:41Z

big-kahuna-burger
Mar 14, 2024
Sponsor

import fs from 'node:fs/promises'
import { generateKeyPair, exportJWK } from 'jose'
import Fastify from 'fastify'

const keyFile = './keys.json'

const fileExists = await fs
  .stat(keyFile)
  .then(() => true)
  .catch(() => false)

if (!fileExists) {
  const { privateKey } = await generateKeyPair('RS256')
  await fs.writeFile(keyFile, JSON.stringify(await exportJWK(privateKey)))
}

const { kty, n, e } = JSON.parse(await fs.readFile(keyFile, 'utf-8'))
const publicKey = { kty, n, e }

const fastify = Fastify({
  logger: true
})

fastify.get('/jwks', async (request, reply) => {
  reply.send({
    keys: [publicKey]
  })
})

fastify.listen({ port: 3042 }, (err, address) => {
  if (err) {
    fastify.log.error(err)
    process.exit(1)
  }
})

Pay attention to what is done with kty, e, n properties. These are required and sufficient properties for RSA type public keys. There are other properties in that keys file that belong to private part of the key and should not be exposed.
There are other properties that can be public when using JWK format.

Best to read the spec on this to learn more about it. And also see the example:
https://datatracker.ietf.org/doc/html/rfc7517#appendix-A.1

(note: it's not best idea to store those private keys on disk)

1 reply

amitava82 Mar 15, 2024
Author

Thank you for the detailed example! I had to add following additional properties to make it work

alg: 'RS256',
use: 'sig',
kid: 'key-1',

I think alg and kid is required. Some of the validation tools I used for testing was failing to verify the jwt without it.

big-kahuna-burger · 2024-03-14T16:25:59Z

big-kahuna-burger
Mar 14, 2024
Sponsor

Now somewhere else, you can simply:

import { createRemoteJWKSet } from "jose"
createRemoteJWKSet(new URL("http://localhost:3042/jwks"))

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How do I create JWKS? #654

{{title}}

Replies: 2 comments 1 reply

{{title}}

{{title}}

{{title}}

Select a reply

How do I create JWKS? #654

amitava82 Mar 14, 2024

Replies: 2 comments · 1 reply

big-kahuna-burger Mar 14, 2024 Sponsor

amitava82 Mar 15, 2024 Author

big-kahuna-burger Mar 14, 2024 Sponsor

amitava82
Mar 14, 2024

Replies: 2 comments 1 reply

big-kahuna-burger
Mar 14, 2024
Sponsor

amitava82 Mar 15, 2024
Author

big-kahuna-burger
Mar 14, 2024
Sponsor