JWKS URI missing in JWT based on Keycloak Client

Question

I have activated the JWKS_URI in my OAuth client (within Keycloak). []

Now, my expectation was that besides the KID an field JWKS_UIR will be part of the JWT for that client. But, I see only KID. The CERTS endpoint works and response with a JWKS Json format.

Is my understanding correct that the JWKS_URI should be in the Token? (see https://www.rfc-editor.org/rfc/rfc8414.html)

Answer 1

For keycloak:23.0.6 the urls are slightly different:

• all security endpoints: GET http://localhost:8080/realms/<REALM>/.well-known/openid-configuration
• certs: GET http://localhost:8080/realms/<REALM>/protocol/openid-connect/certs
• public key http://localhost:8080/realms/<REALM>

Answer 2

From rfc8414.html , in 3.2. Authorization Server Metadata Response section.

The JWKS_URI is in the Authorization Server Metadata Response

It is response of 3.1. Authorization Server Metadata Request and request example is

     GET /.well-known/oauth-authorization-server HTTP/1.1
     Host: example.com

example response

     {
      "issuer":
        "https://server.example.com",
      "authorization_endpoint":
        "https://server.example.com/authorize",
      "token_endpoint":
        "https://server.example.com/token",
      "token_endpoint_auth_methods_supported":
        ["client_secret_basic", "private_key_jwt"],
      "token_endpoint_auth_signing_alg_values_supported":
        ["RS256", "ES256"],
      "userinfo_endpoint":
        "https://server.example.com/userinfo",
      "jwks_uri":
        "https://server.example.com/jwks.json",
      "registration_endpoint":
        "https://server.example.com/register",
      "scopes_supported":
        ["openid", "profile", "email", "address",
         "phone", "offline_access"],
      "response_types_supported":
        ["code", "code token"],
      "service_documentation":
        "http://server.example.com/service_documentation.html",
      "ui_locales_supported":
        ["en-US", "en-GB", "en-CA", "fr-FR", "fr-CA"]
     }

In the Keycloak, provide this API

http://keycloakhost:keycloakport/auth/realms/{realm}/.well-known/openid-configuration

"jwks_uri" (Certificate endpoint) is it response as following JSON.

{
  "issuer": "http://localhost:8080/auth/realms/my-realm",
  "authorization_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/auth",
  "token_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/token",
  "introspection_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/token/introspect",
  "userinfo_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/userinfo",
  "end_session_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/logout",
  "frontchannel_logout_session_supported": true,
  "frontchannel_logout_supported": true,
  "jwks_uri": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/certs",
  "check_session_iframe": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/login-status-iframe.html",
  "grant_types_supported": [
    "authorization_code",
    "implicit",
    "refresh_token",
    "password",
    "client_credentials",
    "urn:ietf:params:oauth:grant-type:device_code",
    "urn:openid:params:grant-type:ciba"
  ],
  "response_types_supported": [
    "code",
    "none",
    "id_token",
    "token",
    "id_token token",
    "code id_token",
    "code token",
    "code id_token token"
  ],
  "subject_types_supported": [
    "public",
    "pairwise"
  ],
  "id_token_signing_alg_values_supported": [
    "PS384",
    "ES384",
    "RS384",
    "HS256",
    "HS512",
    "ES256",
    "RS256",
    "HS384",
    "ES512",
    "PS256",
    "PS512",
    "RS512"
  ],

...

You shows header of JWT In the specification JWT RFC 7519, The example shows only "typ" and "alg" not "jwks_uri"

    {"typ":"JWT",
      "alg":"HS256"}