Before I start, let me say that I wanted to provide concrete information. However, the post seemingly must not contain links and the interpretation of what is deemed a link seems to pretty “wide”.
I am issuing JWTs that represent the license to use a SaaS service, not access tokens or ID tokens. Those JWTs, including their signatures, are correctly validated by the beta of the new debugger as long as I manually provide the public key in either PEM or JWK format. The debugger is “Unable to automatically download public key from JWT.” It asks me to “enter public key manually to verify the JWT signature.”
I followed the documentation and currently provide the well-known endpoints for the JWKS and the OpenID configuration. The OpenID configuration includes just the following three properties (which might not be enough for the debugger to work correctly): jwks_uri, issuer, and claims_supported.
The JWKS seems to be correct. When copy-pasting the one and only JWK into the public key field of the debugger, the signature is correctly validated: The same is true for the v1 of the debugger. However, the beta makes me want it to download the public key because, other than the v1, it deletes the public key whenever a new JWT is pasted into the JSON web token field.
Thus, what are the prerequisites for the beta of the new debugger to automatically download the public key? It would be nice if this could just be the well-known JWKS endpoint. Providing a full OpenID configuration would be a bit over the top in my mind.