How is JWT.io able to validate signatures automatically for id & access tokens signed using RS256 . I am not providing the public keys but i wonder how they are able to verify the signature ?
The rough algorithm for this would be:
- Find the
issproperty of the JWT payload, which usually indicates the issuer’s URL.
- Read the openid-configuration JSON of issuer by appending
/.well-known/openid-configuration. For example, if the issuer is
https://example.auth0.com/, the URL to look would be
- Find the
jwks_urifrom the above configuration and read the JWKS info info by visiting that URL. Example:
- This JWKS endpoint can have multiple certificates. The right cert can be inferred by looking at the
kid(“key ID”) attribute in JWT’s header and matching that with the
kidin the jwks.json file.
- Use the
x5cattribute, which is the signing certificate, to validate the JWT’s signature.
This depends on the issuer to be set to the domain of the IdP, and for the
/.well-known/openid-configuration URL to be available (almost all standard OIDC IdPs host it in that location).
What is the payload
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.