Hey Dude, where’s my keys?

I was asked recently to speak at a Developer forum about ways to make life easier for developers to secure their applications in the cloud. The session was great and lots of questions were asked but perhaps the most surprising question asked was from a developer who wants to integrate a custom application with Oracle Identity Cloud. This developer needs access to the public keys used by Identity Cloud Service before a user has authenticated to the service. More importantly, the developer needs the keys represented in the JWK format. According to the specification, a JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key.

There are very valid reasons why the developer needs access to the public keys without an authenticated session. Public keys let someone verify the signature on something signed with the associated private key or encrypt a message to send to you.

The developer asked Can I get a JWK from Oracle Identity Cloud Service without an OAuth Access Token?

The answer is simple… YES!!! There are two important API’s available in Oracle Identity Cloud Service

  • The first API provides the well-known configuration for Identity Cloud Service – {{HOST}}/.well-known/idcs-configuration
    This API returns jwks_uri inside the openid-configuration which is in JSON format
  • The second API returns the JWK itself – {{HOST}}/admin/v1/SigningCert/jwk
    It is important to know that by default this endpoint is a protected resource. You’ll need to update the Oracle Identity Cloud default settings as described below to make it publicly available.

So here is how to make the public keys accessible publicly

Login to Oracle identity Cloud Service as an administrator

Click on the Icon at the top of the screen next to the Oracle logo

Expand the Settings tab

Click on the Default Settings tab

Enable the Access Signing Certificate switch. This enables clients to access the signing certificate for the identity domain without logging in to Oracle Identity Cloud Service. The screen should look like the screenshot below (I have highlighted the relevant switch in a red box):

You can test this out with the Oracle Identity Cloud Rest API’s. I’ve used the Postman artefacts from this tutorial:

Using the Oracle Identity Cloud Service REST APIs with Postman

Here is a sample screenshot showing the results from the configuration API showing the JWKS URI. Notice that I have deliberately not enabled the Authorization key in the header. This means that my API call is not authorized/authenticated i.e. the API is publicly available without logging onto Oracle Identity Cloud Service:

Here is a screenshot showing the results from the JWKS API. The result is in JWK format. Again, notice that I have deliberately not enabled the Authorization key in the header. This means that my API call is not authorized/authenticated i.e. the API is publicly available without logging onto Oracle Identity Cloud Service:

I hope you found this article helpful. Happy coding!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s