Manual JWK support is a bit weird in Tyk btw, which is why it isn’t documented, it’s a totally custom implementation which is non-standard.
If you want standards based JWK support, use OpenID Connect as an auth mechanism.
Regarding the custom JWKs…
Custom JWK support and JWT with Tyk (NOT OpenID Connect)
Create a fake JWK file that has the following format:
{
"keys": [{
"alg": "RS256",
"kty": "RSA",
"use": "sig",
"x5c": [""],
"n": "",
"e": "AQAB",
"kid": "12345",
"x5t": "12345"
}]
}
For each public key, you need a keys entry.
The kid
and x5t
values need to be the same as the kid
claim you are going to use in your token. And the kty
value must match the crypto method (RSA). You can safely ignore all the other fields.
You then need to encode your pem-encoded public key like this:
tyk@tyk-dev-env ~/jwk $ cat public.pem | base64 > b64.txt
tyk@tyk-dev-env ~/jwk $ cat b64.txt
...base64 data here...
Put this value into the first element of the x5c
array, we only use the first value per key id in this method.
Once you have your two keys in place, put this JWK onto a web server that Tyk can see.
Now modify your API definition to use the URL instead of the raw public key as the value you add to the JWT source field.