How is JWT.io able to validate signatures automatically for id & access tokens signed using RS256 . I am not providing the public keys but i wonder how they are able to verify the signature ?
Hey @elias.nithin , JWT.io figures out the JWKS endpoint of the Identity Provider that issued the token, which will include the X.509 certificate that can be used to validate the signature.
The rough algorithm for this would be:
- Find the
iss
property of the JWT payload, which usually indicates the issuer’s URL. - Read the openid-configuration JSON of issuer by appending
/.well-known/openid-configuration
. For example, if the issuer ishttps://example.auth0.com/
, the URL to look would behttps://example.auth0.com/.well-known/openid-configuration
. - Find the
jwks_uri
from the above configuration and read the JWKS info info by visiting that URL. Example:https://example.auth0.com/.well-known/jwks.json
. - This JWKS endpoint can have multiple certificates. The right cert can be inferred by looking at the
kid
(“key ID”) attribute in JWT’s header and matching that with thekid
in the jwks.json file. - Use the
x5c
attribute, which is the signing certificate, to validate the JWT’s signature.
This depends on the issuer to be set to the domain of the IdP, and for the /.well-known/openid-configuration
URL to be available (almost all standard OIDC IdPs host it in that location).
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.