Corppass
  • INTRODUCTION
    • About Corppass
    • Corppass Design Guidelines
      • Brand Guidelines
      • Button Guidelines
  • Technical Specifications
    • Corppass Authorization API
      • Key concepts
        • Client JWKS
        • JWS and JWE
        • Client Assertion JWT
        • Proof Key of Code Exchange (PKCE)
      • Staging and Production URLs
      • Well-known Endpoints
        • OpenID Discovery Endpoint
        • JWKS Endpoint
      • Scopes
      • Authorization Endpoint
        • Authorization Code with Proof Key of Code Exchange (PKCE) Flow
        • Pushed Authorization Request (PAR) Flow
      • Token Endpoint
        • ID Token Structure
          • UserInfo Claim Structure
          • EntityInfo Claim Structure
        • Access Token Structure
      • Authorization Info Endpoint
        • AuthInfo Structure
        • TPAuthInfo Structure
      • Pushed Authorization Request (PAR) Endpoint
  • Corppass Developer Portal (CDP)
    • User Guide
      • Getting Started
      • Login to CDP
      • Available Digital Service Settings
        • FAQs
      • Toggle Between Staging and Production Environments
      • Portal Features
        • Updating the Digital Service and Managing Metadata
      • User Roles and Permissions
      • Frequently Asked Questions (FAQ)
        • Login Issues
        • Access and Permissions
        • How is CDP Different from Corppass Agency Admin (AA) Portal?
        • Other Common Issues
  • MORE INFORMATION
    • Is Corppass working?
    • Contact Us
Powered by GitBook
On this page
  1. Technical Specifications
  2. Corppass Authorization API
  3. Well-known Endpoints

JWKS Endpoint

GET /.well-known/keys

Corppass signs all JSON Web Tokens (JWTs) issued during the authentication and authorization process using a dedicated signing key. RPs can validate these JWT signatures by retrieving the signing public key from the Corppass JSON Web Key Set (JWKS) endpoint.

This endpoint returns one or more public keys in JSON Web Key (JWK) format. To validate a JWT signature:

  1. Use the JWK where the use attribute is set to sig (indicating a signing key).

  2. Ensure the kid value in the JWK matches the kid value in the JWT’s JOSE header.

Responses from this endpoint, or individual keys within the JWKS, should be cached for at least 1 hour to avoid retrieving the JWKS for every JWT validation

Response

Response Example

HTTP/2 200
content-type: application/jwk-set+json; charset=utf-8
content-length: 955
{
  "keys": [
    {
      "kty": "EC",
      "use": "sig",
      "kid": "OvNklZwNmhiE6tu9mtWTDAv218k2DMjuRaGhkBgFdOo",
      "alg": "ES256",
      "crv": "P-256",
      "x": "gnbm-h8k3ZzeegHK0x87wO_SP_MLFts9XPZm7pE8U04",
      "x5c": [
        "MIIB2TCCAYCgAwIBAgIUWSJjkrsmm08OFT3PDSegP/6fTXwwCgYIKoZIzj0EAwIwRDELMAkGA1UECAwCU0cxCzAJBgNVBAcMAlNHMQswCQYDVQQKDAJDUDEMMAoGA1UEAwwDTkRJMQ0wCwYDVQQLDARTUENQMB4XDTI0MTExMTA1MjYyMloXDTI2MTExMDA1MjYyMlowRDELMAkGA1UECAwCU0cxCzAJBgNVBAcMAlNHMQswCQYDVQQKDAJDUDEMMAoGA1UEAwwDTkRJMQ0wCwYDVQQLDARTUENQMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgnbm+h8k3ZzeegHK0x87wO/SP/MLFts9XPZm7pE8U04m+1m09SoBLrzftqyIia3H6g7TnBBL5nqU6d6r3OL+pKNQME4wHQYDVR0OBBYEFBShdiaEMMNlMU15ewIkmCdBQFZOMB8GA1UdIwQYMBaAFBShdiaEMMNlMU15ewIkmCdBQFZOMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgIrv7vCRg/XGmPz74X3Ygs5gV2jEPCvPCBtyU/hR59GYCIGPBWS1/DmvQztjoknyjv8fvop7QUiTf8jotrZc4ssDK"
      ],
      "y": "JvtZtPUqAS6837asiImtx-oO05wQS-Z6lOneq9zi_qQ",
      "x5t": "ljFP32-_2i4WJZ0vo0UM-8Xr5oI",
      "x5t#S256": "OvNklZwNmhiE6tu9mtWTDAv218k2DMjuRaGhkBgFdOo"
    }
  ]
}

JWKS Key Rotation

Corppass reserves the right to rotate or update its signing keys at any time and without prior notice. When a key rotation occurs:

  1. New keys will be published to the JWKS endpoint and will include a unique kid value.

  2. JWTs issued after the rotation will reference the updated kid in their JOSE headers.

  3. RPs must refresh their cached JWKS by querying the JWKS endpoint to retrieve the updated keys.

It is essential for RPs to implement proper handling for key rotations to ensure uninterrupted validation of JWT signatures.

The following fields will be deprecated in the next major version of the API:

  • x5c

  • x5t

  • x5t#S256

Plan to update your applications to remove reliance on these fields. We strongly recommend reviewing the updated API documentation and transitioning to alternative fields as soon as possible to avoid disruptions.

PreviousOpenID Discovery EndpointNextScopes

Last updated 3 months ago