By: Zen Leow user 13 Apr 2022 at 8:28 p.m. CDT

This is most likely a noob question. We have an OIDC provider integration task which needs the relying party to have a jwks url that provides sig and enc keys that are EC key type instead of RSA. And the kid for each listed keys need to be in ISO timestamp format. example of required keys Example EC signing key using P-256 and a timestamped key Id { "kty": "EC", "use": "sig", "kid": "sig-2022-01-15T12:10:06Z", "crv": "P-256", "x": "Tk42ths24XSUJSrKDH3cVGsd0F2WqCr0UgeAd2gLi8", "y": "9GGUbu519a5xczbQexq1_iVJjGGBSlV5m_KGd2WNvtE" } Example EC encryption key using P-256 and a timestamped key Id; asking us to encrypt the CEK using ECDH-ES+A128KW { "kty": "EC", "use": "enc", "kid": "enc-2022-01-15T12:10:06Z", "crv": "P-256", "x": "xpk2dkD5EtRjRPvMSzYnlVjUKzmNhz7wf0DP_8f3GXtY", "y": "lqh4mG28-SBJLimWcfqLkj2AnHtaxpnB1qsN6PdeRva", "alg": "ECDH-ES+A128KW" } I've tried looking at "Replacing Expired JKS Files" in 4.3 docs but it only talks about jks for scim service. https://gluu.org/docs/gluu-server/4.3/operation/replace-expired-jks-scim/ Then I referred to https://gluu.org/docs/gluu-server/4.3/admin-guide/certificate/ I don't see oxauth-keys.json anywhere in /etc/certs folder. Even tried reinstalling but its still not there. The oxauth-keys.jks is in there though. And I can see those keys in the jks listed in jwks url endpoint. Am I right to assume the keys in oxauth-keys.json will go into the jwks url listing? Do I need to do anything else to have keys listed? how is the kid determined? by using the alias of the key in the keystore? The article also talks about oxauth-client.jar to generate keys but I can really use some help with examples of how to use this library to achieve what I need. Tried Googling but it didn't go anywhere useful. Any help is appreciated. Thank you Best regards, Zen