The token issuer must cryptographically sign all access tokens that the JSON web token (JWT) access token validator handles. The JWT access token validator validates a token's signature using a public signing key provided by the issuer.
-
Configure the JWT access token validator with the issuer's public signing
key:
- Store the public key as a trusted certificate in the server's local configuration using
the
trusted-certificate
property. - Provide the issuer's JSON Web Key Set (JWKS) endpoint using the
jwks-endpoint-path
property.Note:To ensure that the JWT access token validator uses updated copies of the issuer's public keys, the validator checks the configured JWKS endpoint in the following cases:
- When the validator initializes
- If the validator can't find a a suitable key for verification in its current set of keys
- Store the public key as a trusted certificate in the server's local configuration using
the