The token issuer must cryptographically sign all access tokens that the JSON web token (JWT) access token validator handles. The JWT access token validator validates a token's signature using a public signing key provided by the issuer.
Configure the JWT access token validator with the issuer's public signing
key:
- Store the public key as a trusted certificate in the server's local configuration using
the
trusted-certificateproperty. - Provide the issuer's JSON Web Key Set (JWKS) endpoint using the
jwks-endpoint-pathproperty.Note:The JWT access token validator then retrieves the issuer's public keys when it initializes. This method ensures that the JWT access token validator uses updated copies of the issuer's public keys.