How to Obtain the JWK URL for a Third-Party Identity Provider?

[Eddie-Las]

Hello,
I'm currently working on integrating digiRunner with a third-party Identity Provider (IdP), and I need to obtain the JWK (JSON Web Key) URL in order to verify the JWTs issued by the IdP.

Could you please share the recommended or standard procedure for retrieving this URL?
Also, are there any specific configurations or considerations I should be aware of when setting this up in digiRunner?

Thanks a lot.

[TPIsoftwareOSPO]

Hi there,

The most standard and recommended way to obtain a third-party IdP's JWK (JSON Web Key) URL is through its OIDC (OpenID Connect) Discovery endpoint, commonly known as the Well-Known URL.
This mechanism allows your application (such as digiRunner) to automatically discover all necessary endpoint information—including the JWK URL—without needing to hardcode anything.

---

🔹 Step-by-Step Guide

Step 1: Find the Third-Party’s Well-Known OIDC Discovery URL

Most Identity Providers (IdPs) that follow the OIDC specification (e.g., Google, Keycloak) provide a public discovery endpoint.
The path for this URL is standardized and typically follows this format:

https://<domain>/.well-known/openid-configuration

You can usually find this URL in the provider’s developer documentation.

Examples:

• Google: https://accounts.google.com/.well-known/openid-configuration
• Keycloak: http://{keycloak-domain}/realms/{realm-name}/.well-known/openid-configuration

---

Step 2: Access the Well-Known URL and Parse the Returned JSON

You can access this URL directly in your browser or by using a command-line tool like curl.
It will return a JSON document containing all OIDC endpoint information for that IdP.

Example using curl (Keycloak):

curl http://localhost:8080/realms/customer-api-realm/.well-known/openid-configuration

---

Step 3: Find jwks_uri in the JSON Response

In the returned JSON, locate the jwks_uri field.
This value is the JWK Set URL—it points to a JSON document that contains all the public keys used by the IdP to sign its JWTs.

Example JSON Response (excerpt):

{
  "issuer": "http://localhost:8080/realms/customer-api-realm",
  "authorization_endpoint": "...",
  "token_endpoint": "...",
  "jwks_uri": "http://localhost:8080/realms/customer-api-realm/protocol/openid-connect/certs",
  "response_types_supported": [...]
}

➡️ From the example above, the JWK URL is:
http://localhost:8080/realms/customer-api-realm/protocol/openid-connect/certs

---

⚙️ Practical Application: Configuring a Third-Party IdP in digiRunner

When configuring an external OIDC Identity Provider in digiRunner
(for example: Client Management > GTW OAuth 2.0 IdP),
you only need to provide the Well-Known URL.

digiRunner’s Service Discovery feature will automatically:

• Parse the OIDC metadata
• Retrieve endpoints such as the Authorization URL, Token URL, and jwks_uri
• Simplify the overall configuration process

This auto-discovery mechanism is a key advantage of OIDC and is considered an industry best practice for secure and scalable IdP integration.

---

Hope this helps clarify the process! 🚀
Let me know if you'd like an example using a specific IdP (e.g., Azure AD, Okta, or Keycloak).

[Eddie-Las]

Thanks a lot, it's working properly now.