JWKS Configurations

What algorithm should I use for signing JWTs?

  • Corppass only supports EC (Elliptic Curve) algorithms for signing.

  • Supported curves: P-256, P-384, P-521.

  • Example algorithm: ES256 (EC Signature with SHA-256)

Ensure that your JWKS configuration specifies the alg field correctly and matches one of the supported EC algorithms.​

What is the required format for the JWKS Object?

The JWKS Object must conform to the RFC 7517 specification and include the following attributes:

  • kid (Key ID): Unique identifier for the key.

  • kty (Key Type): Type of key (EC for signing, EC or RSA for encryption).

  • use (Usage): Indicates the key’s purpose (sig for signing or enc for encryption).

  • alg (Algorithm): Specifies the algorithm (e.g., ES256 for signing, ECDH-ES+A256KW for encryption).

  • Key-specific attributes:

    • For EC keys (Elliptic Curve): crv (curve), x, and y.

    • For RSA keys (encryption only): n (modulus) and e (exponent).

We recommend relying parties (RPs) use a publicly accessible endpoint that contains your application's public keys in JWKS format.

If you need Corppass to host the JWKS Object, please submit a service request via Partner Support.

What should I do if JWT validation fails?

  • Verify the kid in the JWT header matches a key in the JWKS Object or Endpoint.

  • Check the alg field in the JWT and ensure it aligns with the expected algorithm.

  • Ensure your public key matches the private key used for signing.

What is the lifetime for Corppass tokens?

Tokens issued by Corppass have the following lifetimes:

  • Authorisation Code: 10 minutes

  • ID Token: 10 minutes

  • Access Token: 10 minutes

What if I can't expose my JWKS endpoint publicly?

Corppass requires that client JWKS endpoints be publicly accessible to ensure smooth key verification.

However, if exposing your JWKS endpoint publicly raises security concerns for your organisation, you may request Corppass to host the JWKS Object instead. Submit a request via Partners Support Centre for assistance in setting this up.

Can I configure both a JWKS Endpoint and a JWKS Object for the same service?

No, Corppass supports only one option — Relying Parties can submit either a JWKS Endpoint or a JWKS Object — for each service.

Last updated