oauth2_resource_server_jwks
Creates, updates, deletes, gets or lists an oauth2_resource_server_jwks resource.
Overview
| Name | oauth2_resource_server_jwks |
| Type | Resource |
| Id | okta.authorizationservers.oauth2_resource_server_jwks |
Fields
The following fields are returned by SELECT queries:
- list_oauth2_resource_server_json_web_keys
- get_oauth2_resource_server_json_web_key
| Name | Datatype | Description |
|---|---|---|
id | string | The unique ID of the JSON Web Key (example: apk2f4zrZbs8nUa7p0g4) |
_links | object | Specifies link relations (see Web Linking) available for the current status of a JSON Web Key using the JSON Hypertext Application Language specification. This object is used for dynamic discovery of related resources and lifecycle operations. |
created | string | Timestamp when the JSON Web Key was created (example: 2023-02-21T20:08:24.000Z) |
e | string | RSA key value (exponent) for key binding (example: AQAB) |
kid | string | Unique identifier of the JSON Web Key in the Custom Authorization Server's Public JWKS (example: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4) |
kty | string | Cryptographic algorithm family for the certificate's key pair (example: RSA) |
lastUpdated | string | Timestamp when the JSON Web Key was updated (example: 2023-02-21T20:08:24.000Z) |
n | string | RSA key value (modulus) for key binding (example: mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ) |
status | string | The status of the encryption key. You can use only an ACTIVE key to encrypt tokens issued by the authorization server. (example: ACTIVE, default: ACTIVE) |
use | string | Acceptable use of the JSON Web Key (example: enc) |
| Name | Datatype | Description |
|---|---|---|
id | string | The unique ID of the JSON Web Key (example: apk2f4zrZbs8nUa7p0g4) |
_links | object | Specifies link relations (see Web Linking) available for the current status of a JSON Web Key using the JSON Hypertext Application Language specification. This object is used for dynamic discovery of related resources and lifecycle operations. |
created | string | Timestamp when the JSON Web Key was created (example: 2023-02-21T20:08:24.000Z) |
e | string | RSA key value (exponent) for key binding (example: AQAB) |
kid | string | Unique identifier of the JSON Web Key in the Custom Authorization Server's Public JWKS (example: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4) |
kty | string | Cryptographic algorithm family for the certificate's key pair (example: RSA) |
lastUpdated | string | Timestamp when the JSON Web Key was updated (example: 2023-02-21T20:08:24.000Z) |
n | string | RSA key value (modulus) for key binding (example: mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ) |
status | string | The status of the encryption key. You can use only an ACTIVE key to encrypt tokens issued by the authorization server. (example: ACTIVE, default: ACTIVE) |
use | string | Acceptable use of the JSON Web Key (example: enc) |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
list_oauth2_resource_server_json_web_keys | select | subdomain | Lists all the public keys used by the custom authorization server | |
get_oauth2_resource_server_json_web_key | select | subdomain | Retrieves a custom authorization server public JSON web key by key id | |
add_oauth2_resource_server_json_web_key | insert | subdomain | Adds a new JSON Web Key to the custom authorization servers JSON web keys.<br />> **Note:** This API doesn't allow you to add a key if the existing key doesn't have a kid. Use the [Replace an Authorization Server](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/AuthorizationServer/#tag/AuthorizationServer/operation/replaceAuthorizationServer) operation to update the JWKS or [Delete a Custom Authorization Server Public JSON Web Key](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/OAuth2ResourceServerCredentialsKeys/#tag/OAuth2ResourceServerCredentialsKeys/operation/deleteOAuth2ResourceServerJsonWebKey) and re-add the key with a kid`.> Note: This API doesn't allow you to add a key with an ACTIVE status. You need to add an INACTIVE key first, and then ACTIVATE the key. | |
delete_oauth2_resource_server_json_web_key | delete | subdomain | Deletes a custom authorization server public JSON web key by key id. You can only delete an inactive key. | |
activate_oauth2_resource_server_json_web_key | exec | subdomain | Activates a custom authorization server public JSON web key by key id.> Note: You can have only one active key at any given time for the authorization server. When you activate an inactive key, Okta automatically deactivates the current active key. | |
deactivate_oauth2_resource_server_json_web_key | exec | subdomain | Deactivates a custom authorization server public JSON web key by key id.> Note: Deactivating the active key isn't allowed if the authorization server has access token encryption enabled. You can activate another key, which makes the current key inactive. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
subdomain | string | The domain of your organization. This can be a provided subdomain of an official okta domain (okta.com, oktapreview.com, etc) or one of your configured custom domains. (default: my-org) |
SELECT examples
- list_oauth2_resource_server_json_web_keys
- get_oauth2_resource_server_json_web_key
Lists all the public keys used by the custom authorization server
SELECT
id,
_links,
created,
e,
kid,
kty,
lastUpdated,
n,
status,
use
FROM okta.authorizationservers.oauth2_resource_server_jwks
WHERE subdomain = '{{ subdomain }}' -- required;
Retrieves a custom authorization server public JSON web key by key id
SELECT
id,
_links,
created,
e,
kid,
kty,
lastUpdated,
n,
status,
use
FROM okta.authorizationservers.oauth2_resource_server_jwks
WHERE subdomain = '{{ subdomain }}' -- required;
INSERT examples
- add_oauth2_resource_server_json_web_key
- Manifest
Adds a new JSON Web Key to the custom authorization servers JSON web keys.<br />> **Note:** This API doesn't allow you to add a key if the existing key doesn't have a kid. Use the [Replace an Authorization Server](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/AuthorizationServer/#tag/AuthorizationServer/operation/replaceAuthorizationServer) operation to update the JWKS or [Delete a Custom Authorization Server Public JSON Web Key](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/OAuth2ResourceServerCredentialsKeys/#tag/OAuth2ResourceServerCredentialsKeys/operation/deleteOAuth2ResourceServerJsonWebKey) and re-add the key with a kid`.
> Note: This API doesn't allow you to add a key with an ACTIVE status. You need to add an INACTIVE key first, and then ACTIVATE the key.
INSERT INTO okta.authorizationservers.oauth2_resource_server_jwks (
data__e,
data__kid,
data__kty,
data__n,
data__status,
data__use,
subdomain
)
SELECT
'{{ e }}',
'{{ kid }}',
'{{ kty }}',
'{{ n }}',
'{{ status }}',
'{{ use }}',
'{{ subdomain }}'
RETURNING
id,
_links,
created,
e,
kid,
kty,
lastUpdated,
n,
status,
use
;
# Description fields are for documentation purposes
- name: oauth2_resource_server_jwks
props:
- name: subdomain
value: string
description: Required parameter for the oauth2_resource_server_jwks resource.
- name: e
value: string
description: >
RSA key value (exponent) for key binding
- name: kid
value: string
description: >
Unique identifier of the JSON web key in the custom authorization server's public JWKS
- name: kty
value: string
description: >
Cryptographic algorithm family for the certificate's key pair
- name: n
value: string
description: >
RSA key value (modulus) for key binding
- name: status
value: string
description: >
Status of the JSON Web Key
valid_values: ['ACTIVE', 'INACTIVE']
- name: use
value: string
description: >
Acceptable use of the JSON Web Key
DELETE examples
- delete_oauth2_resource_server_json_web_key
Deletes a custom authorization server public JSON web key by key id. You can only delete an inactive key.
DELETE FROM okta.authorizationservers.oauth2_resource_server_jwks
WHERE subdomain = '{{ subdomain }}' --required;
Lifecycle Methods
- activate_oauth2_resource_server_json_web_key
- deactivate_oauth2_resource_server_json_web_key
Activates a custom authorization server public JSON web key by key id.
> Note: You can have only one active key at any given time for the authorization server. When you activate an inactive key, Okta automatically deactivates the current active key.
EXEC okta.authorizationservers.oauth2_resource_server_jwks.activate_oauth2_resource_server_json_web_key
@subdomain='{{ subdomain }}' --required;
Deactivates a custom authorization server public JSON web key by key id.
> Note: Deactivating the active key isn't allowed if the authorization server has access token encryption enabled. You can activate another key, which makes the current key inactive.
EXEC okta.authorizationservers.oauth2_resource_server_jwks.deactivate_oauth2_resource_server_json_web_key
@subdomain='{{ subdomain }}' --required;