How does jwt.io (any client implementation) know where to fetch the public key to verify JWT signature? I used a JWT in the debugger signed using public key retrievable from a jwks endpoint. The payload does have the configuration endpoint (iss claim) but just curious to know what is the logic to go about finding where to retrieve the public key from?
How does the debugger know that the value in iss is a configuration endpoint and should try reading values from it.
I could use using browser tools that JWT.io makes a call to the configuration endpoint to retrieve signing information.
What is the identification logic to go about making this external call?