I want to verify that my thinking is correct: I currently have an API that will get requests that include JWTs from more than one issuer. These all use RS256. What I’m doing is using the ‘iss’ claim to construct the URL to fetch the jwks file from. Is there any reason not to do this? Is there a better best practice?
As it has been more than a few months since this topic was opened and there has been no reply or further information provided from the community as to the existence of the issue we would like to check if you are still facing the described challenge?
We are more than happy to assist in any way! If the issue is still out there please let us know so we can create a new thread for better visibility, otherwise we’ll close this one in week’s time.
This topic was automatically closed 6 days after the last reply. New replies are no longer allowed.