jwks
Creates, updates, deletes, gets or lists a jwks resource.
Overview
| Name | jwks |
| Type | Resource |
| Id | okta.apps.jwks |
Fields
The following fields are returned by SELECT queries:
- list_jwk
- get_jwk
| Name | Datatype | Description |
|---|
| Name | Datatype | Description |
|---|
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
list_jwk | select | subdomain | Lists all JSON Web Keys for an OAuth 2.0 client app | |
get_jwk | select | subdomain | Retrieves an OAuth 2.0 Client JSON Web Key by keyId. | |
add_jwk | insert | subdomain | Adds a new JSON Web Key to the clients JSON Web Keys.<br />> **Note:** This API doesn't allow you to add a key if the existing key doesn't have a kid. This is also consistent with how the [Dynamic Client Registration](/openapi/okta-oauth/oauth/tag/Client/) or [Applications](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/) APIs behave, as they don't allow the creation of multiple keys without kids. Use the [Replace an Application](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication) or the [Replace a Client Application](/openapi/okta-oauth/oauth/tag/Client/#tag/Client/operation/replaceClient) operation to update the JWKS or [Delete an OAuth 2.0 Client JSON Web Key](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationSSOPublicKeys/#tag/ApplicationSSOPublicKeys/operation/deletejwk) and re-add the key with a kid`. | |
deletejwk | delete | subdomain | Deletes an OAuth 2.0 Client JSON Web Key by keyId. You can only delete an inactive key. | |
activate_oauth2_client_json_web_key | exec | subdomain | Activates an OAuth 2.0 Client JSON Web Key by keyId> Note: You can have only one active encryption key at any given time for app. When you activate an inactive key, the current active key is automatically deactivated. | |
deactivate_oauth2_client_json_web_key | exec | subdomain | Deactivates an OAuth 2.0 Client JSON Web Key by keyId.> Note: You can only deactivate signing keys. Deactivating the active encryption key isn't allowed if the client has ID token encryption enabled. You can activate another encryption key, which makes the current key inactive. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
subdomain | string | The domain of your organization. This can be a provided subdomain of an official okta domain (okta.com, oktapreview.com, etc) or one of your configured custom domains. (default: my-org) |
SELECT examples
- list_jwk
- get_jwk
Lists all JSON Web Keys for an OAuth 2.0 client app
SELECT
*
FROM okta.apps.jwks
WHERE subdomain = '{{ subdomain }}' -- required;
Retrieves an OAuth 2.0 Client JSON Web Key by keyId.
SELECT
*
FROM okta.apps.jwks
WHERE subdomain = '{{ subdomain }}' -- required;
INSERT examples
- add_jwk
- Manifest
Adds a new JSON Web Key to the clients JSON Web Keys.<br />> **Note:** This API doesn't allow you to add a key if the existing key doesn't have a kid. This is also consistent with how the [Dynamic Client Registration](/openapi/okta-oauth/oauth/tag/Client/) or [Applications](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/) APIs behave, as they don't allow the creation of multiple keys without kids. Use the [Replace an Application](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication) or the [Replace a Client Application](/openapi/okta-oauth/oauth/tag/Client/#tag/Client/operation/replaceClient) operation to update the JWKS or [Delete an OAuth 2.0 Client JSON Web Key](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationSSOPublicKeys/#tag/ApplicationSSOPublicKeys/operation/deletejwk) and re-add the key with a kid`.
INSERT INTO okta.apps.jwks (
subdomain
)
SELECT
'{{ subdomain }}'
;
# Description fields are for documentation purposes
- name: jwks
props:
- name: subdomain
value: string
description: Required parameter for the jwks resource.
DELETE examples
- deletejwk
Deletes an OAuth 2.0 Client JSON Web Key by keyId. You can only delete an inactive key.
DELETE FROM okta.apps.jwks
WHERE subdomain = '{{ subdomain }}' --required;
Lifecycle Methods
- activate_oauth2_client_json_web_key
- deactivate_oauth2_client_json_web_key
Activates an OAuth 2.0 Client JSON Web Key by keyId
> Note: You can have only one active encryption key at any given time for app. When you activate an inactive key, the current active key is automatically deactivated.
EXEC okta.apps.jwks.activate_oauth2_client_json_web_key
@subdomain='{{ subdomain }}' --required;
Deactivates an OAuth 2.0 Client JSON Web Key by keyId.
> Note: You can only deactivate signing keys. Deactivating the active encryption key isn't allowed if the client has ID token encryption enabled. You can activate another encryption key, which makes the current key inactive.
EXEC okta.apps.jwks.deactivate_oauth2_client_json_web_key
@subdomain='{{ subdomain }}' --required;