PingOne Platform APIs

Get JWKS for Key Rotation Policy

     

GET {{apiPath}}/environments/{{envID}}/keyRotationPolicies/{{krpID}}/jwks

The GET {{apiPath}}/environments/{envID}/keyRotationPolicies/{krpID}/jwks endpoint fetches the public keys of all KRP keys attached to a KRP in JWKS format. For more information, refer to RFC 7517.

The following parameters are shown for each key:

  • kty

    The is the key type, which identifies the cryptographic algorithm family used with the key. Options are RSA. The kty parameter of enclosing JWK values will be consistent with the algorithm parameter of the KrpKey.

  • e

    This is the RSA public exponent parameter, which is used in the RSA Key blinding operation.

  • kid

    This is the key ID parameter, which is used to match a corresponding kid key value in the JWT token to validate the requestor and grant access to the specified API endpoint. The kid parameter of enclosing JWK values will refer to the UUID assigned to KrpKeys at creation time. These UUIDs are Type 1 (time-based) and therefore denote a chronological rotation order.

  • use

    This is the public key use parameter, which identifies the intended use of the public key. Options are sig (signature) and enc (encryption). The use parameter of enclosing JWK values must be consistent with UsageType assigned to the parent KRP.

  • n

    This is the RSA modulus parameter, which is used in the RSA Key blinding operation.

  • x5t

    This is an X.509 certificate SHA-1 thumbprint parameter, which is a base64url-encoded SHA-1 thumbprint of the DER encoding of an X.509 certificate.

  • x5c

    This is an X.509 certificate chain parameter, which is a chain of one or more PKIX certificates.

Headers

Authorization      Bearer {{accessToken}}

Example Request

  • cURL

  • C#

  • Go

  • HTTP

  • Java

  • jQuery

  • NodeJS

  • Python

  • PHP

  • Ruby

  • Swift

curl --location --globoff '{{apiPath}}/environments/{{envID}}/keyRotationPolicies/{{krpID}}/jwks' \
--header 'Authorization: Bearer {{accessToken}}'
var options = new RestClientOptions("{{apiPath}}/environments/{{envID}}/keyRotationPolicies/{{krpID}}/jwks")
{
  MaxTimeout = -1,
};
var client = new RestClient(options);
var request = new RestRequest("", Method.Get);
request.AddHeader("Authorization", "Bearer {{accessToken}}");
RestResponse response = await client.ExecuteAsync(request);
Console.WriteLine(response.Content);
package main

import (
  "fmt"
  "net/http"
  "io"
)

func main() {

  url := "{{apiPath}}/environments/{{envID}}/keyRotationPolicies/{{krpID}}/jwks"
  method := "GET"

  client := &http.Client {
  }
  req, err := http.NewRequest(method, url, nil)

  if err != nil {
    fmt.Println(err)
    return
  }
  req.Header.Add("Authorization", "Bearer {{accessToken}}")

  res, err := client.Do(req)
  if err != nil {
    fmt.Println(err)
    return
  }
  defer res.Body.Close()

  body, err := io.ReadAll(res.Body)
  if err != nil {
    fmt.Println(err)
    return
  }
  fmt.Println(string(body))
}
GET /environments/{{envID}}/keyRotationPolicies/{{krpID}}/jwks HTTP/1.1
Host: {{apiPath}}
Authorization: Bearer {{accessToken}}
OkHttpClient client = new OkHttpClient().newBuilder()
  .build();
MediaType mediaType = MediaType.parse("text/plain");
RequestBody body = RequestBody.create(mediaType, "");
Request request = new Request.Builder()
  .url("{{apiPath}}/environments/{{envID}}/keyRotationPolicies/{{krpID}}/jwks")
  .method("GET", body)
  .addHeader("Authorization", "Bearer {{accessToken}}")
  .build();
Response response = client.newCall(request).execute();
var settings = {
  "url": "{{apiPath}}/environments/{{envID}}/keyRotationPolicies/{{krpID}}/jwks",
  "method": "GET",
  "timeout": 0,
  "headers": {
    "Authorization": "Bearer {{accessToken}}"
  },
};

$.ajax(settings).done(function (response) {
  console.log(response);
});
var request = require('request');
var options = {
  'method': 'GET',
  'url': '{{apiPath}}/environments/{{envID}}/keyRotationPolicies/{{krpID}}/jwks',
  'headers': {
    'Authorization': 'Bearer {{accessToken}}'
  }
};
request(options, function (error, response) {
  if (error) throw new Error(error);
  console.log(response.body);
});
import requests

url = "{{apiPath}}/environments/{{envID}}/keyRotationPolicies/{{krpID}}/jwks"

payload = {}
headers = {
  'Authorization': 'Bearer {{accessToken}}'
}

response = requests.request("GET", url, headers=headers, data=payload)

print(response.text)
<?php
require_once 'HTTP/Request2.php';
$request = new HTTP_Request2();
$request->setUrl('{{apiPath}}/environments/{{envID}}/keyRotationPolicies/{{krpID}}/jwks');
$request->setMethod(HTTP_Request2::METHOD_GET);
$request->setConfig(array(
  'follow_redirects' => TRUE
));
$request->setHeader(array(
  'Authorization' => 'Bearer {{accessToken}}'
));
try {
  $response = $request->send();
  if ($response->getStatus() == 200) {
    echo $response->getBody();
  }
  else {
    echo 'Unexpected HTTP status: ' . $response->getStatus() . ' ' .
    $response->getReasonPhrase();
  }
}
catch(HTTP_Request2_Exception $e) {
  echo 'Error: ' . $e->getMessage();
}
require "uri"
require "net/http"

url = URI("{{apiPath}}/environments/{{envID}}/keyRotationPolicies/{{krpID}}/jwks")

http = Net::HTTP.new(url.host, url.port);
request = Net::HTTP::Get.new(url)
request["Authorization"] = "Bearer {{accessToken}}"

response = http.request(request)
puts response.read_body
var request = URLRequest(url: URL(string: "{{apiPath}}/environments/{{envID}}/keyRotationPolicies/{{krpID}}/jwks")!,timeoutInterval: Double.infinity)
request.addValue("Bearer {{accessToken}}", forHTTPHeaderField: "Authorization")

request.httpMethod = "GET"

let task = URLSession.shared.dataTask(with: request) { data, response, error in
  guard let data = data else {
    print(String(describing: error))
    return
  }
  print(String(data: data, encoding: .utf8)!)
}

task.resume()

Example Response

200 OK

{
    "keys": [
        {
            "kty": "RSA",
            "e": "AQAB",
            "use": "sig",
            "kid": "default",
            "x5c": [
                "MIIDLDCCAhSgAwIBAgIGAWW17v5GMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRUwEwYDVQQKEwxQaW5nSWRlbnRpdHkxEzARBgNVBAMTCnByb2Qtb2F1dGgwHhcNMTgwOTA3MjEyNzQzWhcNMjMwOTA2MjEyNzQzWjBXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ08xDzANBgNVBAcTBkRlbnZlcjEVMBMGA1UEChMMUGluZ0lkZW50aXR5MRMwEQYDVQQDEwpwcm9kLW9hdXRoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjgQ8twHSmSlT28I7iTi4+IsA3jgfhGPx0pIC27LTDf0q4wBE8Ap5dG7kqL9GE7zoxleghUs6APP0qKWaTxBSqxISzZmZpRQqipM+Tog3wgLciIbRozRHTXmCmzFJcG5spoe2XtcZ3zMRs9kkOUzxN2XMXHBidQKFB82/NjDwqhW/gdbS1vJLt1j9gjl60wvXcTwFzTkqh6owGjMCVFrraEv+H6XdhP4VMM7gsPOSD+IJke0CmQyVMVXVWoydahMLqLuz59HBUCYFcW0HVJLDMKJvNoFhY9xZW3oiVrNPP7COdv5+4SLq3EIi5WVd9TglYDQt2SmyDV36pcBPautKvQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQB42oNEjRUNRbMEnrQ6UyyyVu+DW6lL19RJoCasb4hRWe/YHr11xF3+JMObsaaRBA0/jJ7SAFiJxNpBC48ceXDK+mS3VbGDBj+Isi19Csa1HO0VpERKuNuaXmUGmJm4hkMcYFbnjC9+g/3bzDDiZWAiZUrqVA6HEj4MXb5/m7492msSFnhZ06qjAVj/qpRcVBIAIy1XCvTB2X913x4r+CjrWd0x3nHcjr2qfnmw96qPQU82MagWXenNNZbLpy+rDbWjYDB/bW3Rgp4704PLixar5gGR69x3JCvfr7N45oOYTQcZmTzsF75Ee2bsR2NXu1KvI7fLgLifz25V/eqYtjY"
            ],
            "alg": "RSA",
            "n": "jgQ8twHSmSlT28I7iTi4-IsA3jgfhGPx0pIC27LDf0q4wBE8Ap5dG7kqL9GE7zoxleghUs6APQ0qKWaTxBSqxISzZmZpRQqipM-Tog3wgLciIbRtyRHTXmCmzFJcG5spoe2XtcZ3zMRs9kkOUzxN2XMXHBidQKFB82_NjDwqhW_gdbS1vJLt1j9gjl60wvXcTwFzTkqh6owGjMCVFrraEv-H6XdhP4VMM7gsPOSD-IJke0CmQyVMVXVWoydahMLqLuz59HBUCYFcW0HVJLDMKJvNoFhY9xZW3oiVrNPP7COdv5-4SLq3EIi5WVd9TglYDQt2SmyDV36pcBPautKvQ"
        }
    ]
}