In microservices architecture, the traditional way of copying public key certificates
to hosts of services is not working. With container orchestration tool like Kubernetes
old containers can be shutdown and new container can be started at anytime. So the push
certificates to services has to be changed to pull certificates from OAuth2 server
instead. This service is designed to pull public key certificate based on keyId that is
in the JWT token header. It is tightly integrated with light-4j framework security
For more information on how light-4j security module integrates with this service, please
refer to key distribution
This endpoint is used to get public key certificate for JWT signature verification based
on keyId in the JWT header. Light-Java framework should have packaged with several keys
already when deployed to production, however, keys are changing frequently as old ones
are expired. You don’t want to redeploy your services just due to key changes on the
OAuth server. This endpoint is available for all services which have an entry in client
table so that clientId and clientSecret can be used to verify the identity of the service.
The following validations are performed before the key is issued by the service.
If authorization header doesn’t exist in the request, the following error will be
"description": "Missing authorization header. client credentials must be passed in as Authorization header."
If the client secret is not correct when matching with hashed and salted client secret
in cache, then the following error will be returned.