How are Open Banking Key Ids (kid
) Generated?
Something that I've spent a while Googling over the last couple of years of working on PSD2 is "How are Open Banking Key Ids (kid
) Generated?"
I say this because it's not super clear how they're generated, and searching Open Banking's documentation hasn't been super easy.
In the spirit of Blogumentation, I want to leave the world a better place and make it easier for others to Google for the answer themselves.
As of writing, we are using v2 of the Open Banking Directory, which is documented on Open Banking's Confluence space. We see that there is a JWK Structure section, which notes that the kid
is The SHA-1 hash of the JWK Fingerprint
.
This JWK fingerprint is defined in RFC7638: JSON Web Key (JWK) Thumbprint, and as it is a well-defined standard, you should be able to find library support for it, such as Nimbus for Java, using node-jose on Node projects or json-jwt with Ruby.