Add jwks endpoint (#27)

erwinkramer · web-flow · commit 3d0de0129825 · 2025-09-16T11:30:36.000+02:00
diff --git a/BankApi.Core/Defaults/Helper.Jwk.cs b/BankApi.Core/Defaults/Helper.Jwk.cs
@@ -0,0 +1,23 @@
+using Jose;
+using System.Security.Cryptography;
+
+public static class JwkHelper
+{
+    public static WebApplication MapJwk(this WebApplication app, out Jwk jwk)
+    {
+        var ecSigner = ECDsa.Create(ECCurve.NamedCurves.nistP521); // Typically, you'd load this from a secure location and not create a new one each time
+
+        jwk = new Jwk(ecSigner, false)
+        {
+            KeyId = "bank-api-2025-1"
+        };
+
+        var keySet = new JwkSet(jwk);
+
+        app.MapGet("/.well-known/jwks.json", () => TypedResults.Ok(keySet.ToDictionary()))
+            .ExcludeFromDescription()
+            .AllowAnonymous();
+
+        return app;
+    }
+}
diff --git a/BankApi.Core/Defaults/Helper.JwsResponseSigningMiddleware.cs b/BankApi.Core/Defaults/Helper.JwsResponseSigningMiddleware.cs
@@ -1,20 +1,19 @@
 using Jose;
-using System.Security.Cryptography;
 
 /// <summary>
 /// <para> This middleware class signs the response body of each HTTP response using JSON Web Signature (JWS) with ECDSA.</para>
 /// </summary>
 public class JwsResponseSigningMiddleware
 {
     private readonly RequestDelegate _next;
-    private readonly ECDsa _ecSigner;
+    private readonly Jwk _jwk;
     private static readonly string[] headerCritValue = ["kid", "alg"];
     private static readonly string[] pathsToSkip = ["/scalar", "/openapi", "/health"];
 
-    public JwsResponseSigningMiddleware(RequestDelegate next, ECDsa ecSigner)
+    public JwsResponseSigningMiddleware(RequestDelegate next, Jwk jwk)
     {
         _next = next;
-        _ecSigner = ecSigner;
+        _jwk = jwk;
     }
 
     public async Task InvokeAsync(HttpContext context)
@@ -39,13 +38,13 @@ public async Task InvokeAsync(HttpContext context)
         {
             { "crit", headerCritValue },
             { "iat", DateTimeOffset.UtcNow.ToUnixTimeSeconds() },
-            { "kid", "bank-api-2025-1" }
+            { "kid", _jwk.KeyId }
         };
 
         // Sign the response body using ECDSA
         string jws = JWT.EncodeBytes(
             responseBytes,
-            _ecSigner,
+            _jwk,
             JwsAlgorithm.ES512,
             extraHeaders,
             options: new JwtOptions { DetachPayload = true });
diff --git a/BankApi.Service.Beta/Program.cs b/BankApi.Service.Beta/Program.cs
@@ -1,9 +1,7 @@
-using System.Security.Cryptography;
 using Gridify;
 using Microsoft.OpenApi.Models;
 
 var builder = WebApplication.CreateBuilder(args);
-var ecSigner = ECDsa.Create(ECCurve.NamedCurves.nistP521); // Typically, you'd load this from a secure location and not create a new one each time
 
 GlobalConfiguration.ApiDocument = builder.Configuration.GetRequiredSection("ApiDocument").Get<OpenApiDocument>()!;
 GlobalConfiguration.ApiSettings = builder.Configuration.GetRequiredSection("ApiSettings").Get<GlobalConfiguration.SettingsModel>()!;
@@ -26,7 +24,8 @@
 
 var app = builder.Build();
 
-app.UseMiddleware<JwsResponseSigningMiddleware>(ecSigner);
+app.MapJwk(out var jwk); // register JWKS endpoint
+app.UseMiddleware<JwsResponseSigningMiddleware>(jwk);
 app.UseMiddleware<ApiVersionHeaderMiddleware>();
 app.UseExceptionHandler();
 app.UsePathBase(new($"/{GlobalConfiguration.ApiDocument.Info.Version}")); // Useful when versioning routing happens in an API Management system
diff --git a/BankApi.Service.Beta/apptests.http b/BankApi.Service.Beta/apptests.http
@@ -7,6 +7,10 @@
 
 ###
 
+https://{{host}}/{{apiVersion}}/.well-known/jwks.json
+
+###
+
 https://{{host}}/{{apiVersion}}/health
 Ocp-Apim-Subscription-Key: Lifetime Subscription
 
diff --git a/BankApi.Service.Stable/Program.cs b/BankApi.Service.Stable/Program.cs
@@ -1,9 +1,7 @@
-using System.Security.Cryptography;
 using Gridify;
 using Microsoft.OpenApi.Models;
 
 var builder = WebApplication.CreateBuilder(args);
-var ecSigner = ECDsa.Create(ECCurve.NamedCurves.nistP521); // Typically, you'd load this from a secure location and not create a new one each time
 
 GlobalConfiguration.ApiDocument = builder.Configuration.GetRequiredSection("ApiDocument").Get<OpenApiDocument>()!;
 GlobalConfiguration.ApiSettings = builder.Configuration.GetRequiredSection("ApiSettings").Get<GlobalConfiguration.SettingsModel>()!;
@@ -26,7 +24,8 @@
 
 var app = builder.Build();
 
-app.UseMiddleware<JwsResponseSigningMiddleware>(ecSigner);
+app.MapJwk(out var jwk); // register JWKS endpoint
+app.UseMiddleware<JwsResponseSigningMiddleware>(jwk);
 app.UseMiddleware<ApiVersionHeaderMiddleware>();
 app.UseExceptionHandler();
 app.UsePathBase(new($"/{GlobalConfiguration.ApiDocument.Info.Version}")); // Useful when versioning routing happens in an API Management system
diff --git a/BankApi.Service.Stable/apptests.http b/BankApi.Service.Stable/apptests.http
@@ -7,6 +7,10 @@
 
 ###
 
+https://{{host}}/{{apiVersion}}/.well-known/jwks.json
+
+###
+
 https://{{host}}/{{apiVersion}}/health
 Ocp-Apim-Subscription-Key: Lifetime Subscription
 
