JWKS Endpoint

GET /.well-known/keys

Corppass signs all JSON Web Tokens (JWTs) issued during the authentication and authorization process using a dedicated signing key. RPs can validate these JWT signatures by retrieving the signing public key from the Corppass JSON Web Key Set (JWKS) endpoint.

This endpoint returns one or more public keys in JSON Web Key (JWK) format. To validate a JWT signature:

Use the JWK where the use attribute is set to sig (indicating a signing key).
Ensure the kid value in the JWK matches the kid value in the JWT’s JOSE header.

Responses from this endpoint, or individual keys within the JWKS, should be cached for at least 1 hour to avoid retrieving the JWKS for every JWT validation

Request

You can fetch this using any HTTP client:

curl https://www.id.corppass.gov.sg/.well-known/openid-configuration

Or simply open it in your browser.

Response

Successful JWKS Response Example

HTTP/2 200
content-type: application/jwk-set+json; charset=utf-8
content-length: 955
{
  "keys": [
    {
      "kty": "EC",
      "use": "sig",
      "kid": "OvNklZwNmhiE6tu9mtWTDAv218k2DMjuRaGhkBgFdOo",
      "alg": "ES256",
      "crv": "P-256",
      "x": "gnbm-h8k3ZzeegHK0x87wO_SP_MLFts9XPZm7pE8U04",
      "y": "JvtZtPUqAS6837asiImtx-oO05wQS-Z6lOneq9zi_qQ",
    }
  ]
}

JWKS Key Rotation

Corppass reserves the right to rotate or update its signing keys at any time and without prior notice. When a key rotation occurs:

New keys will be published to the JWKS endpoint and will include a unique kid value.
JWTs issued after the rotation will reference the updated kid in their JOSE headers.
RPs must refresh their cached JWKS by querying the JWKS endpoint to retrieve the updated keys.

It is essential for RPs to implement proper handling for key rotations to ensure uninterrupted validation of JWT signatures.

Last updated 4 months ago