Cloud-IAM | DOCS

Appearance

JWKS in Keycloak

Overview

The JSON Web Key Set (JWKS) is a collection of public keys used to verify JSON Web Tokens (JWTs) issued by an authorization server. When using asymmetric signing algorithms such as RS256, the server signs the JWT with a private key, and client applications validate it with the corresponding public key provided in the JWKS.

Keycloak supports multiple algorithms for signing JWTs: RS256, RS384, RS512, and HS256.

  • RS256/RS384/RS512 → Asymmetric (recommended)
  • HS256 → Symmetric (less secure for multi-party integrations)

Keycloak implements the JSON Web Key (JWK) specification to represent and expose cryptographic keys. These keys are published as a JWKS (a set of JWKs), making them available for client applications to automatically fetch and use.

Configuration JWKS in Keycloak

This step-by-step guide explains how to configure JSON Web Key Set (JWKS) in Keycloak to ensure secure validation of JSON Web Tokens (JWTs).
JWKS allows client applications to automatically retrieve and use the public keys required to verify signatures, reducing manual key management.

This tutorial does not cover all the necessary security best practices for a complete configuration.

Step 1 — Enable JWKS for a Client Application

  1. Login to your Keycloak as an admin
  2. Select the realm to be configured (here : acme-demo)
  3. Navigate to Clients and detect the target Client.
  4. Go to the Credentials tab.
  5. From the dropdown list select Signed JWT
  6. Click Save and confirm your configuration.
Keycloak admin console - Enable Signed JWT for a Client Application
Keycloak admin console - Enable Signed JWT for a Client Application

Step 2 — Configure the JWKS URL

  1. Go to the Keys tab.
  2. Select Use JWKS URLtoggle (Using a JWKS URL ensures that keys are automatically updated without manual intervention.)
  3. Register the JWKS URL of your application (or upload a certificate if necessary).
  4. Click Save and confirm your configuration.
Keycloak admin console - Configure the JWKS URL
Keycloak admin console - Configure the JWKS URL

Step 3 — Retrieve the Realm JWKS URL

Keycloak exposes its JWKS through the OpenID Connect discovery endpoint under the realm settings page.

  1. Navigate to Realm settings
  2. Go to the General tab
  3. Scroll down until Endpoints section

This URL should be following this pattern: /realms/MY-REALM/.well-known/openid-configuration.

Keycloak admin console - Retrieve the Realm JWKS URL
Keycloak admin console - Retrieve the Realm JWKS URL

Step 4 — Configure your application

In your application (API, frontend, or backend), configure the JWKS endpoint URL retrieved in the previous step.
This ensures that JWT validation is performed securely against the trusted public keys provided by Keycloak.

Resources