OAuth2 JWT Bearer tokens may contain a jku claim, indicating the URL where the jwks can be downloaded, then the corresponding kid within that jwks is used to verify the JWT signature.
This requires a whitelist for jku to prevent abuse, perhaps as web origins.
{
"jku": "https://evil.com/.well-known/jwks.json"
}In this example, https://evil.com would not be on the whitelist so this token would not be validated.
Automatically downloaded jku URLs can be cached as an optimization and to limit external interference with runtime performance.
OAuth2 JWT Bearer tokens may contain a
jkuclaim, indicating the URL where thejwkscan be downloaded, then the correspondingkidwithin thatjwksis used to verify the JWT signature.This requires a whitelist for
jkuto prevent abuse, perhaps as web origins.{ "jku": "https://evil.com/.well-known/jwks.json" }In this example,
https://evil.comwould not be on the whitelist so this token would not be validated.Automatically downloaded
jkuURLs can be cached as an optimization and to limit external interference with runtime performance.