I have a question about verifying an access token. I can use the jwks endpoint to retrieve the correct key for the ID Token, but the access token is signed by an unpublished key. Is this intentional? If not where can I get the correct key?
curl -d "grant_type=password&scope=openid&…removed… https://xxx.okta.com/oauth2/v1/token
id_token signed with kid ‘X’ found in key set at https://xxx.okta.com/oauth2/v1/keys
However access_token signed with a key not found in key set.