You can specify whether PingFederate should use static or dynamically rotating keys to decrypt asymmetrically-encrypted ID tokens.
When static keys are enabled, you must also select an active signing key for the RSA key type.
When static keys are enabled, PingFederate uses only static decryption keys to decrypt asymmetrically-encrypted ID tokens it receives from OpenID providers. Dynamic keys are not used and are not returned by the PingFederate JWKS endpoint /pf/JWKS.
The following snippet illustrates a sample response returned by the PingFederate JWKS endpoint when dynamic keys are used.
$ curl -s https://localhost:8031/pf/JWKS |python -m json.tool
{
"keys": [
...
{
"kty": "EC",
"kid": "I-ZbqeLPG2O5qxSf3n8yKmcGbWI",
"use": "enc",
"x": "AUSx-2vdfCjU90KohVs1peISnNUeDmGo3m0_x42PucBr-Gd-mHKXQ8EjTeYgLhFB5SYMV5tntKiezayWkUt9Dodc",
"y": "AIE6vQYcKdOfyQYzENYQ86MIAwSUo4GR_-dn7m2MvRReXkotWOsFT1WKXi_KjamqJIV2AwAUZL-IQj5mew45lSTM",
"crv": "P-521"
},
{
"kty": "EC",
"kid": "S2BbNNK9PtG0nA-EhU5BGpZ-OG8",
"use": "enc",
"x": "IKXASh9aDPJ1YaeXUww1YZnZ3kum_WLKvZe8xiNW6W8",
"y": "7_zp2AuY8MY4WEuneHEzV0cqW0buqcmMGVzRANQ0r2I",
"crv": "P-256"
},
{
"kty": "EC",
"kid": "t4-jKfmhEHn3mRc-08Oh3WKA2zE",
"use": "enc",
"x": "RiQkv_ArGS7Zc8XsXp0VQpEWz9ZUlbLUWA0VbTcUjWIbOByceGhg-tAj6dlFiorq",
"y": "aHPQlrJPscdcuHtHokyr-70yBo4nUK-BjWrJgisDxnKJQFLP6YK_dfuOpuVYhFJ5",
"crv": "P-384"
},
{
"kty": "RSA",
"kid": "tVP7otNKgIWYep8LPBR3wD3tPNE",
"use": "enc",
"n": "hvHfiamhV4wGC9JHppJZjdKG5K3MvhWwo6PBsSQowGOTeILAbzO8Jfmp7nRxuujTE6k83RXNeWUvTwamGqShXvHzGYJlE2gsc0Az_w5xm-vjoNZD8Cv0Y9C3R4Ckj6dBL70Osk_NfBR7MYmRA6dV0PJ5k4Lt_vQveXMkylD9XuLFP-gqooMXkB6FCCLqZZAi0voi3WQ7ECzSta3ke9F5VFl7-4zVjRtJHjM9gGEhd5OkaZioqs9xBHeOrwhPbiPTsIA7ve3No5AlGCgZw654s17zr2Ly4q8QZE7LmM30kRJnu-dpl_dKixFTdQYIBMmIWGUyuB43XYq106z9CWoOcw",
"e": "AQAB"
},
...
]
}
When static keys are used, the PingFederate JWKS endpoint /pf/JWKS returns only the configured active keys. The following snippet illustrates a sample response returned by the PingFederate JWKS endpoint when an active key was selected for the EC with P-384 curve and EC with P-521 curve key types.
$ curl -s https://localhost:8031/pf/JWKS |python -m json.tool
{
"keys": [
...
{
"kty": "EC",
"kid": "7xKkiMb-YpcK2PcrTUoTrYF8EOI",
"use": "enc",
"x": "4p_fZluiHS9qLXQi-cqol1LP5nBrFPcXRKQN5yR3Tz51E0xfY9tmOzLqMQwKfDIh",
"y": "kWh3up-U2mMYOuhzx4Ba7UX0P03EPLr82PdCUG6E3V53Pgnd2QU6ShWu9lH4-ugw",
"crv": "P-384"
},
{
"kty": "EC",
"kid": "pE1XwX8Z6QYhAC7mjZ0OCn4DXAk",
"use": "enc",
"x": "ATCOsxg6ce437qMVlrqCyHPDE76hC0wP7Wwb7V8heai60LIDDvIJt-evxTOGn7Iolo9PYET8-Bjhu5Zg5MNxOkF-",
"y": "AdvUA2YD2kn7COLkFIG2vL2k34CMv7VPxsvbgOJBL2exSziMGPw6YJp2eafuHlBom7bkjv3iFy5dTuGB7B28Zc7A",
"crv": "P-521"
},
...
]
}