How do I create JWKS?

[amitava82]

I'm trying to figure out how to generate JWKS. So far all the examples I could find use node-jose library.

  const { publicKey, privateKey } = await generateKeyPair('RS256', {
    extractable: true,
  });
  const keys = {
    publicKey: await exportJWK(publicKey), 
    privateKey: await exportJWK(privateKey),
  };
  fs.writeFileSync('keys.json', JSON.stringify(keys, null, 2));
  
  // How do I generate jwks so jwt can be verified using `createRemoteJWKSet` for example?

[big-kahuna-burger]

import fs from 'node:fs/promises'
import { generateKeyPair, exportJWK } from 'jose'
import Fastify from 'fastify'

const keyFile = './keys.json'

const fileExists = await fs
  .stat(keyFile)
  .then(() => true)
  .catch(() => false)

if (!fileExists) {
  const { privateKey } = await generateKeyPair('RS256')
  await fs.writeFile(keyFile, JSON.stringify(await exportJWK(privateKey)))
}

const { kty, n, e } = JSON.parse(await fs.readFile(keyFile, 'utf-8'))
const publicKey = { kty, n, e }

const fastify = Fastify({
  logger: true
})

fastify.get('/jwks', async (request, reply) => {
  reply.send({
    keys: [publicKey]
  })
})

fastify.listen({ port: 3042 }, (err, address) => {
  if (err) {
    fastify.log.error(err)
    process.exit(1)
  }
})

Pay attention to what is done with kty, e, n properties. These are required and sufficient properties for RSA type public keys. There are other properties in that keys file that belong to private part of the key and should not be exposed.
There are other properties that can be public when using JWK format.

Best to read the spec on this to learn more about it. And also see the example:
https://datatracker.ietf.org/doc/html/rfc7517#appendix-A.1

(note: it's not best idea to store those private keys on disk)

[amitava82]

Thank you for the detailed example! I had to add following additional properties to make it work

alg: 'RS256',
use: 'sig',
kid: 'key-1',

I think alg and kid is required. Some of the validation tools I used for testing was failing to verify the jwt without it.

[eyueldk]

Weird behavior. Even using jose to create JWKS, it requires the mentioned fields. Using exportJWK is not enough to build a valid JWKS.

[big-kahuna-burger]

Now somewhere else, you can simply:

import { createRemoteJWKSet } from "jose"
createRemoteJWKSet(new URL("http://localhost:3042/jwks"))