We have multiple environments + web and native clients., resulting in a couple of Auth0 Applications configured. The Applications that are of type Machine to Machine are listed in our /.well-known/jwks.json but the Applications of type Native aren’t included in this list (although they, too, have RS256 set).
We could grab the Native Applications certifications through the configurations Advanced Settings > Certificates section and add them to our AllowList by hand, but having a JWKS list that can be updated periodically and keeps track of any Application changes is a charm.
Is there a setting we’re missing to add our Native Application keys to the JWKS?
Can you share a little bit more about what you’re seeing in jwks.json? I don’t generally expect to see applications listed there, just the JWK representations for the tenant as a whole.
I checked my own tenant and the x5t in ./well-known/jwks.json is the same as the certificate available in the certificate tab of the advanced settings of native applications.
thanks for the warm welcome and thanks Dan for the docs link. Combined with your feedback, Matt, set me into the right direction.
My bad: I was mistaking the list of keys (2x in my orgs jwks.json) with some amount of configured Applications and that was wrong. It’s the tenants keys, – thanks for pointing that out!
(And having one key Currently Used and one in status Next In Queue as shown in the Tenant Settings > Signing Keys leads to exactly what /.well-known/jwks.json is showing us.)