You verify the Access or ID token’s signature by matching the key that was used to sign in with one of the keys that you retrieved from your Okta Authorization Server’s JWK endpoint. Specifically, each public key is identified by a kid attribute, which corresponds with the kid claim in the Access or ID token header.
thanks for your response. I do not understand your comments. I am a newbie in okta.
what do you mean :
{{url}}/api/v1/apps/{{appId}}/credentials/keys/{{keyId}} ?
I think the url should be : [https://dev-850216.okta.com]… I do not know what ia appId
This is out of my jwks:
{
“kid”: “XI5pBOeLB_wLXwfl7KaEWjidtLqxUUtB6YF3kVPdVT0”
“use”: “sig”
“e”: “AQAB”
“n”: “i6pF-t_uSN6usYYM5n_SkAodvty2GhGrwTr4DZtGjBlqNh11vXXMTQ3gL2jlo1JCWkU-mNjE8SKoHKlt5okXHiFK_AbBRfOT4mRxLDWFI6T0-rA5MyHj80mFw1cEzlOVF4IxiO44xcjQJduDNuZKHiM5uAJZi6T_295yDp1jZGMZRWuWfMBh_9uxiFHENpulWRTtTgoi9ZZ1KH9znczXb0BPAUH1UHn624NtU1h8GGwGZ3vBHOlXtayFQysvazWiD2RGGG-p7cik3no78Ip_r19ilfWfb3XPizM3XikStzfVMFovIAZsWFZqObWxaXDVcdOSfh7XJwlNcNDaxjhvLQ”
}
Thanks for your comment.
ok. Forgive my ignorance here. It seems it is very complicated to achieve a simple task I want to do here. I am using outbox of Okta’s Oauth2 Server a single point to do simple integration. The reason I need this public key or cert so that I can verify in elsewhere. Why the default Authorization Server does not publish x5c as part of the jwks_uri in the metaapi. I have done simple integration with Microsoft’s Azure and Oracle’s IDCS as well. They all seems to have this x5c.