How to return RSA key in jwks_uri endpoint for Ope

2019-08-11 14:39发布


Working on the discovery part of an OpenID Connect provider, I'm a bit confused about how to properly return my public keys. My problem is specifically with the modulus (n) and the exponent (e) values.

The initial values of both are:

n = 124692971944797177402996703053303877641609106436730124136075828918287037758927191447826707233876916396730936365584704201525802806009892366608834910101419219957891196104538322266555160652329444921468362525907130134965311064068870381940624996449410632960760491317833379253431879193412822078872504618021680609253

e = 65537

So, what I understand reading here, just need to base64url encode both.

(Example in Python)

n = urlsafe_b64encode(str(n))
e = urlsafe_b64encode(str(e))

e = "NjU1Mzc="

In what am I wrong? Because, for example, google keys have a different encoding.

(Google key values)

n = "rl1iVsRbhod-gDJj2SDs94lk5iY0QYXV5HIPtjcx4KmIlmq-cdmfLteTeIHFsO5c6hKUt8R3uZzaQNgF3fKt700fT4m6tU23qK4EoLlx9Z_uSajtpMajdmX_FOdyHyQgcn0tj3YqPeYCOTBhRVNoLIenf9vy0hfFy71lcPhylnE",
e = "AQAB"

Am I missing something? Thanks for your time.

PD: The project I'm working on.


You're base64url-encoding the decimal representation of the values but you should base64url-encode the octet value, i.e. the big-endian byte sequence as defined here: and here


The representation of a positive or zero integer value as the base64url encoding of the value's unsigned big-endian representation as an octet sequence. The octet sequence MUST utilize the minimum number of octets needed to represent the value. Zero is represented as BASE64URL(single zero-valued octet), which is "AA".