From 91add59b9a68b4b47587a36c80efed37f9a584eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Teo=20Klestrup=20R=C3=B6ijezon?= <teo.roijezon@appva.com>
Date: Fri, 5 Feb 2021 12:01:38 +0100
Subject: [PATCH] Document JWKS support

---
 deps/rabbitmq_auth_backend_oauth2/README.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/deps/rabbitmq_auth_backend_oauth2/README.md b/deps/rabbitmq_auth_backend_oauth2/README.md
index d98d259779..8712e53260 100644
--- a/deps/rabbitmq_auth_backend_oauth2/README.md
+++ b/deps/rabbitmq_auth_backend_oauth2/README.md
@@ -122,6 +122,22 @@ If a symmetric key is used, the configuration will look like this:
 ].
 ```
 
+The key set can also be retrieved dynamically from a URL serving a [JWK Set](https://tools.ietf.org/html/rfc7517#section-5).
+In that case, the configuration will look like this:
+
+```erlang
+[
+  {rabbitmq_auth_backend_oauth2, [
+    {resource_server_id, <<"my_rabbit_server">>},
+    {key_config, [
+      {jwks_url, "https://my-jwt-issuer/jwks.json"}
+    ]}
+  ]},
+].
+```
+
+NOTE: `jwks_url` takes precedence over `signing_keys` if both are provided.
+
 ### Resource Server ID and Scope Prefixes
 
 OAuth 2.0 (and thus UAA-provided) tokens use scopes to communicate what set of permissions particular