Still unable to find a resolution. Tried changing my app to HS256, then saw a post where native apps are forcibly issued RS256 tokens because native client’s can’t reliably store secrets, that makes sense.
I’m trying to follow the manual steps and can’t get my token to verify either. On my mobile device I login and capture the token, I paste that in jwt.io, then I get my key from /pem (or the jwks url, I have validated they are the same) and paste that in JWT.io and can’t validate the signature.
I feel like I’m doing something completely off base, but all the online documentation seems to point me in this direction. To verify I should be able to
-
Login on the auth0 form requesting an id token
-
Extract the idtoken from the request object and paste it into jwt.io
-
Get the public key either from the dashboard, /pem, or the json returned from .well-known/jwks.json and paste it into jwt.io where the existing public key is and verify?
I am unable to get my token to verify with this method, what am I missing?