Can multiple applications share a single JWK set?

[echoari77]

Hi,
I'm working on a system with multiple applications that all authenticate against the same Identity Provider (IdP).
I'm wondering if it's possible for all of these applications to share a single JWK (JSON Web Key) set for token validation, or if each application needs its own dedicated key.

I'd appreciate any insights or best practices on this. Thanks!

[TPIsoftwareOSPO]

Thanks for bringing up this topic — it’s an important part of secure OIDC setup.

Hi, thanks for your question!

Yes — multiple applications can absolutely share the same JWK Set, and in fact, this is the standard and recommended practice under the OpenID Connect (OIDC) and OAuth 2.0 frameworks.

This is because the JWK Set is bound to the Issuer (the Identity Provider, or IdP) — such as a Keycloak Realm or Google’s account service — not to any single client application.

Below is a detailed explanation of how this mechanism works:

---

🔐 How the JWK Sharing Mechanism Works

1. Keys Managed by the IdP
   The Identity Provider (IdP), such as Keycloak or Google, generates and manages key pairs (private/public).
   These private keys are used to sign JWTs (JSON Web Tokens) issued to all authorized client applications within a given scope (e.g., a Realm in Keycloak).

2. Single JWK Set URL (jwks_uri)
   The IdP exposes its public keys as a single JSON Web Key Set (JWKS) via a public URL endpoint called jwks_uri.
   This endpoint contains all the public keys that clients and resource servers can use to validate JWTs.

3. Automatic Discovery via OIDC Discovery Endpoint
   Clients and resource servers don’t need to manually configure this jwks_uri.
   Instead, they discover it automatically through the IdP’s OIDC Discovery URL, typically found at:

https://<issuer>/.well-known/openid-configuration

4. Shared Public Key Validation Process
   When a resource server (e.g., your API backend) receives a JWT from the IdP, it:

• Parses the JWT header to extract the kid (Key ID).
• Fetches the IdP’s JWKS from the jwks_uri.
• Finds the matching key by kid.
• Uses that public key to verify the JWT’s signature.

---

In short, all client applications under the same IdP share the same JWKS endpoint, ensuring centralized key management and simplified trust validation across services.

Hope this helps! 😊
Let me know if you’d like an example configuration (e.g., for Keycloak or Google IdP).