Keys and signatures

By default, the OIDC Manager creates an RSA key for RS256 token signatures on first startup. On subsequent startups, the same key will be used again.

If you want to enforce a certain key or key type for token signatures, you may use the config command, providing the key management functions of the SSI Kit to create a key.

The following key and token signature types are currently supported:

Signature
Key
Hash

RS256

RSA 2048

SHA256

EdDSA

EdDSA_Ed25519

SHA256

ES256K

ECDSA_Secp256k1

SHA256

The chosen key type implicitely defines the signature and hash type, according to the table above.

Generate key

In the following example, I will show how to manually create an RSA key for the OIDC manager using the config command of the IDP Kit:

waltid-idpkit config --oidc key gen -a RSA

This command will generate an RSA key, save it in the key store, in the context of the OIDC manager, and prints the key ID:

Output:

[...]
[main] INFO id.walt.idp.cli.ConfigCmd - Running in context of: OIDCContext
Generating RSA key pair...
[main] DEBUG id.walt.services.keystore.HKVKeyStoreService - Storing key "715b3ebf65074f1183a48c4b7c8e311c".
Key "715b3ebf65074f1183a48c4b7c8e311c" generated.

List available keys

To list all the available keys in the OIDC Manager context, you can type:

waltid-idpkit config --oidc key list

Output:

[...]
Listing keys ...

Results:
[...]
- 1: "e8392ed7e8524b34bc4ab7609c2f6d99" (Algorithm: "RSA", provided by "SUN")
- 2: "715b3ebf65074f1183a48c4b7c8e311c" (Algorithm: "RSA", provided by "SUN")

Configure key

Now, to configure the key generated above, copy the key ID printed by the command, and paste it into the configuration file, like so:

{
  [...]
  "keyId": "715b3ebf65074f1183a48c4b7c8e311c",
  [...]
}

Last updated