-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathjson_web_key_set.md.tmpl
More file actions
82 lines (59 loc) · 2.95 KB
/
json_web_key_set.md.tmpl
File metadata and controls
82 lines (59 loc) · 2.95 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
---
page_title: "{{.Name}} {{.Type}} - {{.ProviderName}}"
subcategory: ""
description: |-
Manages an Ory Network JSON Web Key Set (JWKS).
---
# {{.Name}} ({{.Type}})
Manages an Ory Network JSON Web Key Set (JWKS).
JSON Web Keys are used for signing and encrypting tokens. This resource generates and manages custom key sets for your Ory project's OAuth2/OIDC service (Hydra).
-> **Plan:** Available on all Ory Network plans.
~> **Note:** This resource is **immutable**. Any change to `project_id`, `set_id`, `key_id`, `algorithm`, or `use` will destroy the existing key set and create a new one. Private keys in the old set will be permanently lost.
## Algorithms
| Algorithm | Type | Description |
|-----------|------|-------------|
| `RS256` | RSA | RSA with SHA-256 — widely supported, good default for signing |
| `ES256` | ECDSA | Elliptic curve P-256 — smaller keys, faster than RSA |
| `ES512` | ECDSA | Elliptic curve P-521 — stronger but slower than ES256 |
| `HS256` | HMAC | Symmetric — uses shared secret, not suitable for public verification |
| `HS512` | HMAC | Symmetric — stronger HMAC variant |
## Choosing the Right Algorithm
| Scenario | Recommended | Why |
|----------|-------------|-----|
| **General signing** (default) | `RS256` | Widest compatibility across OAuth2/OIDC libraries |
| **High-performance signing** | `ES256` | Smaller keys, faster operations — ideal for high-throughput APIs |
| **Maximum security** | `ES512` | Strongest elliptic curve option |
| **Internal services only** | `HS256`/`HS512` | Symmetric — both parties must share the secret. Not suitable for public token verification |
### `sig` vs `enc` Use
| Use | Description |
|-----|-------------|
| `sig` | **Signing** — for JWT signing, ID token signing, and token verification. This is the most common use case. |
| `enc` | **Encryption** — for encrypting tokens or data at rest. Rarely needed unless you have specific encryption requirements. |
Most configurations only need `use = "sig"`.
## Example Usage
{{ tffile "examples/resources/ory_json_web_key_set/resource.tf" }}
## Keys Output
The `keys` attribute contains the JSON Web Key Set as a JSON string with **public parts only**. Private keys are never exposed in Terraform state. The output follows the standard JWKS format:
```json
{
"keys": [
{
"kty": "RSA",
"kid": "sig-key-1",
"use": "sig",
"alg": "RS256",
"n": "...",
"e": "..."
}
]
}
```
On read, the provider extracts `algorithm`, `use`, and `key_id` from the **first key** in the set.
## Import
Import using the format `project_id/set_id` or just `set_id` (uses provider's project_id):
```shell
terraform import ory_json_web_key_set.signing <project-id>/token-signing-keys
terraform import ory_json_web_key_set.signing token-signing-keys
```
After import, `key_id` is populated from the first key in the set. If the set contains multiple keys, only the first key's metadata is tracked.
{{ .SchemaMarkdown | trimspace }}