We have multiple environments + web and native clients., resulting in a couple of Auth0 Applications configured. The Applications that are of type Machine to Machine are listed in our /.well-known/jwks.json but the Applications of type Native aren’t included in this list (although they, too, have RS256 set).
We could grab the Native Applications certifications through the configurations Advanced Settings > Certificates section and add them to our AllowList by hand, but having a JWKS list that can be updated periodically and keeps track of any Application changes is a charm.
Is there a setting we’re missing to add our Native Application keys to the JWKS?
Hi @henning.wagner ,
Welcome to the Community!
This doc describes all of the ways you can get your client secrets and signing keys.
https://auth0.com/docs/tokens/view-client-secrets-and-signing-keys
Hello,
Can you share a little bit more about what you’re seeing in jwks.json? I don’t generally expect to see applications listed there, just the JWK representations for the tenant as a whole.
I checked my own tenant and the x5t in ./well-known/jwks.json is the same as the certificate available in the certificate tab of the advanced settings of native applications.
Thanks,
Matt
Hi @dan.woda , hi @matt.macadam,
thanks for the warm welcome and thanks Dan for the docs link. Combined with your feedback, Matt, set me into the right direction.
My bad: I was mistaking the list of keys (2x in my orgs jwks.json) with some amount of configured Applications and that was wrong. It’s the tenants keys, – thanks for pointing that out!
(And having one key Currently Used and one in status Next In Queue as shown in the Tenant Settings > Signing Keys leads to exactly what /.well-known/jwks.json is showing us.)
Thanks and take care!