JWT with multiple private/public keys pairs

Question

I am implementing something similar to : https://login.microsoftonline.com/common/discovery/v2.0/keys

Spring boot JWT application which generate and validate JWT token. I will generate many public/private keys (I do not want to generate all tokens with one key. One keys pair will be generate token with shorter life time, second will generate longer...) I will create endpoint /keys with public keys. The question is : How to connect proper public key with private key in my application to validate it?

And the second one : How to generate keys like above (with fields like kty":"RSA","use":"sig", kid...) Is there any pattern to do it?

Answer 1

How to generate keys like above (with fields like "kty": "RSA", "use": "sig", "kid"...) Is there any pattern to do it?

It's a standard called JSON Web Key (JWK), defined in the RFC 7517, which defines a data structure that represents a cryptographic key in JSON.

In Java, you can use Nimbus JOSE + JWT, which supports JWK with RSA keys.

---

How to connect proper public key with private key in my application to validate it?

You can use the kid header claim in your token: It's is an optional header claim which holds a key identifier, particularly useful when you have multiple keys to sign the tokens and you need to look up the right one to verify the signature.

Once a signed JWT is a JWS, consider the definition from the RFC 7515:

4.1.4. "kid" (Key ID) Header Parameter

The kid (key ID) Header Parameter is a hint indicating which key was used to secure the JWS. This parameter allows originators to explicitly signal a change of key to recipients. The structure of the kid value is unspecified. Its value MUST be a case-sensitive string. Use of this Header Parameter is OPTIONAL.

When used with a JWK, the kid value is used to match a JWK kid parameter value.