I’m using openam OAuth 2.0/OpenID access_token end-point to get an id_token. The id_token contains a RS256 signature.
I need to verify this token. So from where can I get the “public certificate” that used to sign this token?
I found a public key certificate in here,
%BASE_DIR%/%SERVER_URI%/keystore.jks. But it says invalid after validating with this certificate.
You can use the well-known configuration endpoint to find out the jwks_uri for the OIDC provider. Then it will be just a matter of selecting the right key from the jwks_uri response based on the "kid" value in the JWT.
Of course looking at jwks_uri endpoint will only make sense if the signing algorithm for the JWT is based on asymmetric keys (RS*, ES*).
