How is able to validate signatures

How is able to validate signatures automatically for id & access tokens signed using RS256 . I am not providing the public keys but i wonder how they are able to verify the signature ?

Hey @elias.nithin , figures out the JWKS endpoint of the Identity Provider that issued the token, which will include the X.509 certificate that can be used to validate the signature.

The rough algorithm for this would be:

  1. Find the iss property of the JWT payload, which usually indicates the issuer’s URL.
  2. Read the openid-configuration JSON of issuer by appending /.well-known/openid-configuration. For example, if the issuer is, the URL to look would be
  3. Find the jwks_uri from the above configuration and read the JWKS info info by visiting that URL. Example:
  4. This JWKS endpoint can have multiple certificates. The right cert can be inferred by looking at the kid (“key ID”) attribute in JWT’s header and matching that with the kid in the jwks.json file.
  5. Use the x5c attribute, which is the signing certificate, to validate the JWT’s signature.

This depends on the issuer to be set to the domain of the IdP, and for the /.well-known/openid-configuration URL to be available (almost all standard OIDC IdPs host it in that location).

What is the payload Petition enact-term-limits-for-service-in-the-congress-of-the-united-states-of-america

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.