In microservices architecture, the traditional way of copying public key certificates to hosts of services does not work. With container orchestration tools like Kubernetes old containers can be shut down and new containers can be started at any time. The push certificates to services have to be changed to pull certificates from OAuth2 server instead. This service is designed to pull public key certificates based on the keyId that is in the JWT token header. It is tightly integrated with the light-4j framework security component.
For more information on how light-4j security module integrates with this service, please
refer to key distribution
This endpoint is used to get a public key certificate for JWT signature verification based on keyId in the JWT header. The light-Java framework should have been packaged with several keys already when deployed to production, however, keys are changing frequently as old ones expire. You don’t want to redeploy your services just due to key changes on the OAuth server. This endpoint is available for all services which have an entry in the client table so that clientId and clientSecret can be used to verify the identity of the service.
The following validations are performed before the key is issued by the service.
If authorization header doesn’t exist in the request, the following error will be
"description": "Missing authorization header. client credentials must be passed in as Authorization header."
If the client secret is not correct when matching with hashed and salted client secret
in cache, then the following error will be returned.