what is jwks? what actully does jwks with refresh and access tokens?

Question

i am working on an authentication system that has access and refresh tokens and JWT and JWKS. my problem is that i don't know what is the functionality of JWKS. what is the functionality of JWKS in a authentication system that is working with JWT and refresh token and access token? what are public and private keys in this system? does JWKS need to connect to database?

Answer 1

Do you mean JWKS or a JWKS endpoint?

JWKS is JSON Web Key Set - a JSON notation for sharing public keys which are used to verify the signature of a signed JWT.

JWKS endpoint is an endpoint exposed by the Authorization Server from which you can obtain a JWKS.

Whenever you need to work with a content of a JWT (e.g. so you have an API which receives the JWT and need to perform authorization decisions) you should verify the signature. In order to verify it you need a public key, which corresponds to the private key used by the Authorization Server to sign the JWT. This public key can be obtained in different ways (e.g. you can hard code it in your API) and getting it from a JWKS endpoint is one valid way. If you have an option of reading public keys from a JWKS endpoint I would recommend to use it - this simplifies greatly key management in your system. Whenever you need to rotate keys, you just change them in the Authorization Server. It's especially useful if you do not control the Authorization Server - then you don't have to worry about keys rotation at all.

You can have a look at the second part of this free course: OpenID Connect in Details (requires email registration). The JWKS topic is covered there.