Manages a secret store for JSON Web Keys (JWK) from a local or remote JWK Set.

Secrets from JwkSetSecretStore have a non-configurable lease duration, equal to the value of cacheTimeout. The secret can be used for that duration before it is refreshed or discarded.

For a description of how secrets are managed, see "Secrets".

For information about JWKs and JWK Sets, see RFC-7517, JSON Web Key (JWK).


  "name": string,
  "type": "JwkSetSecretStore",
  "config": {
    "jwkUrl": configuration expression<url>,
    "handler": Handler reference or inline handler declaration,
    "cacheTimeout": configuration expression<duration>,
    "cacheMissCacheTime": configuration expression<duration>


"jwkUrl": configuration expression<url>, required

A URL that contains the client's public keys in JWK format.

"handler": Handler reference, optional

An HTTP client handler to communicate with the jwkUrl.

Usually set this property to the name of a ClientHandler configured in the heap, or a chain that ends in a ClientHandler.

Default: ClientHandler

"cacheTimeout": configuration expression<duration>, optional

Delay before the cache is reloaded. The cache contains the jwkUrl.

The cache cannot be deactivated. If a value lower than 10 seconds is configured, a warning is logged and the default value is used instead.

Default: 2 minutes

"cacheMissCacheTime": configuration expression<duration>, optional

If the jwkUrl is looked up in the cache and is not found, this is the delay before the cache is reloaded.

Default: 2 minutes

Log Level

To facilitate debugging secrets for the JwkSetSecretStore, in logback.xml add a logger defined by the fully qualified package name of the JwkSetSecretStore. The following line in logback.xml sets the log level to ALL:

<logger name="org.forgerock.secrets.jwkset" level="ALL">


For an example of how to set up and use JwkSetSecretStore to validate signed access_tokens, see "Validating Signed Access_Tokens With the StatelessAccessTokenResolver and JwkSetSecretStore".

Read a different version of :