Update Public Key JWT
To ensure the registered public key of an IoT device can only be updated by the device itself, the IoT device has to authenticate to the IoT IdP by providing a private key JWT. However, the structure of the JWT differs slightly from the JWT used to authenticate against the token API of the IoT identity provider.
The only difference to the JWT used to authenticate to the token API is an additional claim in the body of the JWT that contains the new public key that the IoT device wants to update. An example of what an assembled JWT to update a registered public key may look like is displayed below.
The header object contains three claims:
- alg: The cryptographic algorithm used to generate the signature of the JWT.
- typ: The type of JWT the object represents. Has to be set to
- kid: The id of the key used to generate the signature of the JWT. This claim has to correspond to the device ID registered with IoT IdP.
An example of how a JWT header may look is displayed below.
The body has two contain two claims
- sub: The subject of the JWT. This claim has to correspond to the device ID registered with the IoT IdP.
- public_key: This claim contains a PEM representation of the new public key that should be updated.
- jti: The JWT ID is a 32-byte long hexadecimal random number, which has to be unique. As a result, preventing replay attacks and ensures that an issued JWT can only be used once for each device.
An example of how a JWT body may look is displayed below.
"public_key": "-----BEGIN PUBLIC KEY-----MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0DPl/xEvmaB/di695RJ+qfIdL56Snev0PdqUGhmbJYqPgkTd2RsTFjt6TSZ/1HlluSXBT+O7Nska+C8rFk4wOg==-----END PUBLIC KEY-----"
The signature is generated using the private key that corresponds to the registered public key and the defined algorithm in the alg claim of the header, e.g. for the above-displayed header the signature is calculated as follows.
base64UrlEncode(header) + "." +