Hello, I've been playing around with Ory Network and generate a JWT from a session (following https://www.ory.sh/docs/identities/session-to-jwt-cors) which works great so far. However, while trying to verify the generated JWT across the

jwksURL

(

https://{my-project-slug}.<http://projects.oryapis.com/.well-known/jwks.json

)|projects.oryapis.com/.well-known/jwks.json`)>, I can't find the

kid

I get from this JWT. Did I miss something here?

@careful-rain-13694 Did you ever get this question answered? I'm facing a similar issue.

Hello @swift-analyst-72183 I've actually just found a way to deal with this issue by providing an existing

kid

while creating the jwk (see related documentation). So you need to fetch a

kid

from your configured JWKS url (

https://{my-project-slug}.<http://projects.oryapis.com/.well-known/jwks.json|projects.oryapis.com/.well-known/jwks.json>

) and create a jwk passing this related key. Here is a way to do that:

JWKS_URL=$(ory get project $ORY_PROJECT_ID --format json-pretty | jq '.services.oauth2.config.webfinger.oidc_discovery.jwks_url' | sed -r 's|"||g')
KID=$(curl $JWKS_URL -s | jq '.keys[0].kid' | sed -r 's|"||g')
ory create jwk sencrop-jwk $KID --alg RS256 --project $ORY_PROJECT_ID --format json-pretty | base64

Then you need to configure your

jwt_template

accordingly providing the base64 encoded jwks URL:

"whoami": {
      "required_aal": "highest_available",
      "tokenizer": {
        "templates": {
          "jwt_template_1": {
            "claims_mapper_url": "URL OR BASE64 of your claims mapper",
            "jwks_url": "base64://{YOUR_JWKS}",
            "ttl": "10m0s"
          }
        }
      }
    }

I hope it is going to help 😉

Thank you! I see [<key-id>] in the docs here (https://www.ory.sh/docs/cli/ory-create-jwk) but I did not know what that did. ory create jwk <set-id> [<key-id>] [flags]

I followed these steps but it would fail signature verification in .NET. It was kinda hard to debug the default validation flow even with 3rd party code decompile and a debugger attached because of how it's structured. I ended up hardcoding in the jwks generated during the process.

👋 I've spent more time lately on this issue and I noticed the solution I mentioned before did not work as expected because I could not verify the JWT properly (I am not sure it was using the same signature for generation and validation). I finally figured something else out by using the JWKS being used for my OAuth2 / OIDC setup (hydra) which comes as

hydra.jwt.access-token

so I could make sure the same JWK set is being used for both signing the JWT and verifying it.

ory get jwk hydra.jwt.access-token --project $ORY_PROJECT_ID --format json-pretty | base64 | c

Pasting the result value from the clipboard into the dedicated section of the jwt_template used as tokenizer (as mentioned before). I hope it could help in your setup as well 🙏

Thank you @careful-rain-13694 - this works great for me as well.