OIDC and JWT validation

Once I complete an OIDC auth, and include the resulting JWT token in my request header (as Authorization: Bearer ew43…) - how is that JWT token validated to actually come from a valid IDP?

Have you seen the flow here?


I have seen that, yes. However I may be a little mixed up - there isn’t any place to enter a public key / cert (or a JWK set URL) when configuring OIDC in tyk, so I’m unclear on how it’s doing the validation. That is my question basically.

With OIDC the JWK is hosted by your IDP on a discoverable URL, Tyk will use the IDP to find the keys to validate the JWT.

Ah - ok, thank you! I just looked up the discovery protocol, still learning this :slight_smile:

It’s really cool… and kinda magic.