< chilly king 10285> How are JSON Web Keys and JSON Web Toke Ory Community #ory-copilot

Join Slack

<@U04UQ68083H> How are JSON Web Keys and JSON Web ...

# ory-copilot

boundless-artist-2317

06/25/2024, 4:30 PM

@chilly-king-10285 How are JSON Web Keys and JSON Web Tokens managed in Ory?

chilly-king-10285

06/25/2024, 4:31 PM

A message from kapa.ai

chilly-king-10285

06/25/2024, 4:31 PM

In Ory, JSON Web Keys (JWKs) and JSON Web Tokens (JWTs) play a vital role in securing the transmission of sensitive information, particularly in the context of Ory OAuth2 and OpenID Connect. They are used to sign and verify ID tokens and JWT access tokens. The two most commonly used cryptographic keys in Ory are RS256 and ES256[^1^]. By default, Ory OAuth2 and OpenID Connect generate two cryptographic keys for each Ory Network project: one for ID Tokens and one for JWT Access Tokens. These keys are stored securely and encrypted at rest using AES256-GCM and the system secret[^2^]. You can validate JWTs issued by Ory by pointing your JWT library to the

/.well-known/jwks.json

endpoint[^3^]. This endpoint contains the public keys for verifying ID tokens and JWT access tokens[^8^]. In Ory, JWK endpoints require a

set-id

which corresponds to the specific set of keys you want to interact with. The default

set-id

values are

hydra.openid.id-token

for OpenID Connect ID Tokens and

hydra.jwt.access-token

for JWT Access Tokens[^3^]. To manage these keys, you can use the JWK endpoints to retrieve, rotate, or otherwise manage these default key sets[^3^]. For example, to rotate cryptographic keys in Ory, you can use the JSON Web Keys API[^4^]. You can also use the Ory API to create or update a JSON Web Key Set[^6^][^7^]. If you want to use your own keys instead of letting Hydra generate the JWKs for you, you can use the

PUT /admin/keys/{set}

and

PUT /admin/keys/{set}/{kid}

5 Views

Open in Slack

Previous Next