IG 7.2.0


Manages a secret store for JSON Web Keys (JWK) from a local or remote JWK Set.

The secrets provider queries the JwkSetSecretStore, as follows:

  • If the JWT contains a kid, the secrets provider queries the JwkSetSecretStore for a named secret, identified by value of the kid of a JWK stored in the JwkSetSecretStore.

  • If the JWT doesn’t contain a kid, the secrets provider queries the JwkSetSecretStore for list of valid secrets, whose purpose matches the secret ID and any purpose contraints. The JwkSetSecretStore returns the secrets in the order that they are listed in the JWK set.

The secrets provider builds the secret, checking that the secret’s constraints are met, and returns a unique secret. If the secret’s constraints are not met, the secrets provider cannot build the secret and the secret query fails.

For a description of how secrets are managed, see Secrets.

For information about JWKs and JWK Sets, see SON Web Key (JWK).


  "name": string,
  "type": "JwkSetSecretStore",
  "config": {
    "jwkUrl": configuration expression<url>,
    "handler": Handler reference,
    "cacheTimeout": configuration expression<duration>,
    "cacheMissCacheTime": configuration expression<duration>,
    "leaseExpiry": configuration expression<duration>


"jwkUrl": configuration expression<url>, required

A URL that contains the client’s public keys in JWK format.

"handler": Handler reference, optional

An HTTP client handler to communicate with the jwkUrl.

Usually set this property to the name of a ClientHandler configured in the heap, or a chain that ends in a ClientHandler.

Default: ClientHandler

"cacheTimeout": configuration expression<duration>, optional

Delay before the cache is reloaded. The cache contains the jwkUrl.

The cache cannot be deactivated. If a value lower than 10 seconds is configured, a warning is logged and the default value is used instead.

Default: 2 minutes

"cacheMissCacheTime": configuration expression<duration>, optional

If the jwkUrl is looked up in the cache and is not found, this is the delay before the cache is reloaded.

Default: 2 minutes

"leaseExpiry": configuration expression<duration>, optional

The amount of time that secrets produced by this store can be cached before they must be refreshed.

If the duration is zero or unlimited, IG issues a warning, and uses the default value.

Default: 5 minutes

Log level

To facilitate debugging secrets for the JwkSetSecretStore, in logback.xml add a logger defined by the fully qualified package name of the JwkSetSecretStore. The following line in logback.xml sets the log level to ALL:

<logger name="org.forgerock.secrets.jwkset" level="ALL">


For an example of how to set up and use JwkSetSecretStore to validate signed access tokens, see Validate signed access_tokens with the StatelessAccessTokenResolver and JwkSetSecretStore.

Copyright © 2010-2022 ForgeRock, all rights reserved.