Hey @elias.nithin , JWT.io figures out the JWKS endpoint of the Identity Provider that issued the token, which will include the X.509 certificate that can be used to validate the signature.
The rough algorithm for this would be:
- Find the
issproperty of the JWT payload, which usually indicates the issuer’s URL. - Read the openid-configuration JSON of issuer by appending
/.well-known/openid-configuration. For example, if the issuer ishttps://example.auth0.com/, the URL to look would behttps://example.auth0.com/.well-known/openid-configuration. - Find the
jwks_urifrom the above configuration and read the JWKS info info by visiting that URL. Example:https://example.auth0.com/.well-known/jwks.json. - This JWKS endpoint can have multiple certificates. The right cert can be inferred by looking at the
kid(“key ID”) attribute in JWT’s header and matching that with thekidin the jwks.json file. - Use the
x5cattribute, which is the signing certificate, to validate the JWT’s signature.
This depends on the issuer to be set to the domain of the IdP, and for the /.well-known/openid-configuration URL to be available (almost all standard OIDC IdPs host it in that location).