Reputation: 144
Why are there two certificates at the oauth endpoint?
Why are there two certificates at the endpoint to retrieve the JWK encoded keys if only one key is needed to verify the signature of a JWT?
These are the instructions where I found the endpoint: https://developers.google.com/identity/gsi/web/guides/verify-google-id-token
Upvotes: 0
Views: 546
Answers (1)
Reputation: 4236
It is up to the auth server to decide how many keys they use. As you see there are two keys defined, each with a unique key ID (kid). Each key may have a dedicated purpose based on several criteria, such as scope, client type, key rotation, etc.
The JWT returned contains an attribute kid that specifies which key it was signed with. If you are verifying JWT signature, you have to use a key identified by the kid from JWT.
Upvotes: 1
Related Questions
- Google API OAuth2
- Google oAuth 2.0 new authorization and token endpoint
- Google Service Account P12 Credentials - What is the certificate for?
- Why there are primary and secondary certificates for JWT verification in light-4j
- google oauth2 discovery return wrong token_endpoint
- Purpose of "client_x509_cert_url" field in JSON file generated by Google Oauth 2.0 Provider
- Google OAuth2 - Correct Usage?
- Why do we need to specify redirect uri two times while using Oauth2
- oauth_signature in OAuth google api
- Google OAuth 2.0 inconsistent token type?