Not sure why, but this took me some head scratching and research. I am sure someone right now will be screaming out: “thats simple”!
The scenario:
Signature validation required for an OAuth2 JWT token (access_token or OpenId token).
The setup:
I am using IdentityServer4 as the Security Token Service (STS).
The STS has a well-known configuration URL at: http://host:port/.well-known/openid-configuration/
Note: Your STS setup may have this URL at another location. Check the documentation.
The jwks url contains a json document. The json document lists an array of json web keys (jwk). The jwk’s describe the cryptography used to sign and/or encrypt tokens.
The jwk may also contain a certificate used to sign and/or encrypt the tokens and/or various other fields.
The ‘use’ field within a jwk gives the appropriate use of the key. In the case of signature verification, the ‘use’ field will have a value of ‘sig’.
I have done a very bare minimum walk through using node for validating an access_token using the keys supplied as part of the jwks URL.
See the code here.