how to get KeyID (KID) in JWT

Rock Hitman 46

Hi, I need to send below paramters as request hitting external Restful service
But I am not sure/ dont know from where do I get the information of 'kid' to be passed in the input as Header parameter.

Can anyone pls advice

header
{
"kid": "Gb389a-9f76-gdjs-a92j-0242bk94356",
"alg": "PS256"
}

//PAYLOAD
{
"iss": "b99d9297-9d99-1sh2-a8b3-0301jh130828",
"sub": "b99d9297-9d99-1sh2-a8b3-0301jh130828",,
"aud": "https://platform.geico.ins.io",
"exp": 1410871077,
"nbf": 1410871077,,
"iat": 1410871077,,
"jti": "h6734251-8d43-1sh2-a9v1-0242ac130003",
"scope": "profile-search"
}

4 answers

Anita Lad 1 Reputation point

2021-11-27T23:44:48.09+00:00
Key Id mainly refers to a Secret that can be retrieved and used to validate the signed JWT.

Mostly it is just a random guid that is stored as a secret Id.

It should be provided by the generator of the JWT so that a Validator can retrieve the correct secret based on the "kid" to validate the signed JWT token.

If this is static then the JWT generator should provide this once.

Most likely it is rotated key. In that case, this should be exposed via another secure endpoint.
For example: https://demo.identityserver.io/.well-known/openid-configuration/jwks

This is first time answering a question !

I hope this helps.
Please sign in to rate this answer.
Rock Hitman 46 Reputation points

2021-11-28T00:13:47.84+00:00

@Anonymous
I need to pass all the Header and Payload values as input parameters when calling a external Rest service

You mentioned 'It should be provided by the generator of the JWT' -> who or from where can I get this generator of JWT ? Do I need to call any external program, software or any tool to generate this and to validate ?

I am not sure from where do I get kid, iss, jti values to be pass in the header and payload.
Will this values be generated from any software, or will rest service client provide it to us. I only know these are dynamic values

Please advice

Anita Lad 1 Reputation point

2021-11-28T20:37:30.337+00:00

Hi, Let's start from the beginning.

Are you generating the JWT token from your API side?

If so, on what occasion do you create the JWT ? i.e. Authentication, Authorisation. etc

Are you signing/encrypting this JWT token ?

Let's say, you are generating the JWT because it is a requirement from the target (Ext Restful Service) API. In that case, when you pass this token with a request, who/what will validate this token ?

How did you come to the conclusion regarding the required JWT token format ?

The reason behind the questions to understand your exact situation, then I can tell you whether you need to make up values and store them, retrieved from the JWt validator service in your case or simply ignore irrelevant payload and including header.

Rock Hitman 46 Reputation points

2021-11-29T07:48:49.057+00:00

the target system uses an Authorization server to authenticate clients (our's) and provide an Access Token to invoke services.
The API client will obtain the Access Token from Target system's Authorization server.
The Target system follows JWT profile for OAuth 2.0 Client authentication and Authorization grants for issuing Access Token.

So to get this Access Token, we from our API side must first authenticate with the OAuth server to target systems endpoint.

It is my understanding To get this JWT.... we need to pass the Header, Payload and JWS

As I am new to this, trying to figure out step by step procedure in achieving this.

Anita Lad 1 Reputation point

2021-11-29T10:41:47.227+00:00

In that case, you should ask the target service stakeholders to provide required details to form the JWT token.

"The Target system follows JWT profile for OAuth 2.0 Client authentication and Authorization grants for issuing Access Token." - If this is the case, then the returned access token should be in the form of JWT and you just store the exact Access/Jwt token on your system (if it is server side then in cache, if it is on client side then in cookie) and pass it with consecutive requests.

I personally believe, the target service should provide the exact Jwt that they are going to authenticate against. This is to make sure clients/consumers are completely segregated from the auth processes and also to prevent accidental misconfigurations.

I will be very surprised if they provide access token as some sort of Guid string and ask you to create JWT on your own! You are the client system so all the pains and aches of token generations, validations, refresh etc should be taken care by the target system.

In summary,

Mostly likely your API shouldn't be creating the JWT but receiving the token and passing it for consecutive requests

If not, ask target system to provide all the details that "they" require to validate the token. You can easily create token on server side by using JWT client library. see: https://jwt.io/libraries

I hope this helps!

Rock Hitman 46 Reputation points

2021-11-29T19:35:37.44+00:00

Yes when we send the JWT to the target system, we get Access_Token in response if it is successful.
For this Access_Token to get in response, we need to pass the Header and Payload in request.
And this JWT is unique in every call request we make.

the target system uses an Authorization server to authenticate clients (Souce system) and provide an Access Token to invoke services.
The source system will obtain the Access Token from Target system's Authorization server.
The Target system follows JWT profile for OAuth 2.0 Client authentication and Authorization grants for issuing Access Token.

In order to do that, Source system need to provide the following

URLs for signing and Encryption
OpenId Connect well-known endpoint (OR)
jwks and Issuer URLs

Authetication
The network exposed APIs should be secured using either signed JWT, private key jwt or Access Token .
Target system will provide client_id to be used in the APIs

Certificates
We as source system should provide a certificate of issuing CAs for Authentication
Private key may be stored in PEM file

there is an existing Authorization service which provided you with signing certificates? Iam trying to figure out how to generate the required JWT to obtain the Access Token?

Anita Lad 1 Reputation point

2021-11-30T10:30:49.207+00:00

Hi Rock,

I assume that the Auth service component is already exists that can sign and validate tokens. This component generally refer as Identity provider. This is a stand alone component that is used by both Client and Target API. Client API retrieve the Access_Token by proving their identity. Target API will pass the received Access_Token/Jwt to Identity provider to validate the requester/Client.

In this particular scenario,

1. URLs for signing and Encryption

Obtain from the Authentication Service (Identity Provider).

2. Authentication

Obtain from the Authentication Service (Identity Provider).

3. Certificates

Work in collaboration with Auth/Identity Provider to generate a certificate and store PEM file.

Rock Hitman 46 Reputation points

2021-11-30T18:01:13.27+00:00

No, I dont think the Identity component provider exists. This is a first time calling Target REST service.
No setup has been done with them. They just provided with an example of Request and response parameters

Anita Lad 1 Reputation point

2021-11-30T23:22:23.523+00:00

Have you asked them where/how they are going to validate these signed tokens ?

Surely, they wouldn't expect you to setup and host an identity provider. right ?

Rock Hitman 46 Reputation points

2021-12-01T06:24:38.807+00:00

Please read the below :

I am building a client and need help getting the access token.

would like to know what needs to be passed in grant_type ? client_assertion ?
Where to get these values from ?

Request:
POST /token HTTP/1.1
Host: <org-hostname>:443
Timestamp: 1212669235
Date: Fri, 12 May 2016 17:21:16 GMT+0000
Content-type: application/x-www-form-urlencoded

grant_type=client_credentials&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&scope=profile-search&client_assertion=<JSON Web Signature (JWS)>

Response:

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Content-Length: 653
Date: Tue, 29 Oct 2019 14:13:29 GMT
{
"access_token" : "KjdsjEeRFwksjqefindikHAfDKV...",
"token_type" : "bearer"
"expires_in" : 3600
"scope":"profile-search"
}

In the above, the target system is expecting request parameters client_assertion which is(JWS). Also, target system mentioned they do not authenticate with Basic Auth...they do Bearer Authorization. as client_assertion is JWT token that will be signed with cert.....then my question is how do I get Header and Payload values from ? As these Header and Payload combo is JWT Token and needs to be passed as input parameters to get the Access Token in response. And these values change dynamically
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Anita Lad 1 Reputation point

2021-11-30T10:34:59.453+00:00
4. TOKEN

Whatever the credentials that you require to be authenticated on the target system, should be provided by the target system via Auth/Identity Provider.

So looking at you initial token format -

header
{
"kid": "Gb389a-9f76-gdjs-a92j-0242bk94356",

Should be exposed by Identity provider. If dynamic, it should provide an end-point to access this details on regular intervals.

"alg": "PS256"

Identity provider should let you know of the algorithm that it supports
}

//PAYLOAD
{
"iss": "b99d9297-9d99-1sh2-a8b3-0301jh130828",

Mainly related to the target system. Identity provider will make sure that the issuer is the target service.

"sub": "b99d9297-9d99-1sh2-a8b3-0301jh130828",

The subject that Client and Target API have been agreed upon

"aud": "https://platform.geico.ins.io",

Target Service URL

"exp": 1410871077,

Expiry of the token. Mainly inline with the expiry of the Access token

"nbf": 1410871077,

Not Before: Optional (find out from Identity Provider if required)

"iat": 1410871077,

Issued At : Optional (find out from Identity Provider if required)

"jti": "h6734251-8d43-1sh2-a9v1-0242ac130003",

Jwt token ID: Optional (find out from Identity Provider if required)

"scope": "profile-search"

Client API to request the particular operation. (Ask Target Service for available values)
}
Please sign in to rate this answer.
Rock Hitman 46 Reputation points

2021-11-30T18:01:53.727+00:00

No, I dont think the Identity component provider exists. This is a first time calling Target REST service.
No setup has been done with them. They just provided with an example of Request and response parameters
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
AgaveJoe 28,036 Reputation points

2021-12-01T00:33:35.74+00:00

Can you clarify what you are trying to do? Are you building a token server? Are you trying to build a REST API and need to validate a PS256 signature? Are you building a client and need help getting the access token? Are you building a proxy?

When you say the token changes do you mean the token is not deterministic due to the PS256 signature?
Please sign in to rate this answer.
Rock Hitman 46 Reputation points

2021-12-01T01:35:29.147+00:00

I am building a client and need help getting the access token.

would like to know what needs to be passed in grant_type ? client_assertion ?
Where to get these values from ?

POST /token HTTP/1.1
Host: <org-hostname>:443
Timestamp: 1212669235
Date: Fri, 12 May 2016 17:21:16 GMT+0000
Content-type: application/x-www-form-urlencoded

grant_type=client_credentials&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&scope=profile-search&client_assertion=<JSON Web Signature (JWS)>

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Content-Length: 653
Date: Tue, 29 Oct 2019 14:13:29 GMT
{
"access_token" : "KjdsjEeRFwksjqefindikHAfDKV...",
"token_type" : "bearer"
"expires_in" : 3600
"scope":"profile-search"
}
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
AgaveJoe 28,036 Reputation points

2021-12-01T14:49:20.983+00:00

The example shows the grant type is client_credentials using JWT Bearer Token Profile for OAuth 2.0 Client Authentication. The client_assertion is a JWT used to authenticate the client. The identity provider you are using should have documentation that explains how to get or populate client assertation JWT.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

how to get KeyID (KID) in JWT

4 answers

1. URLs for signing and Encryption

2. Authentication

3. Certificates

4. TOKEN

Your answer