Solutionunvalidated
A way to do this (which is used in the wild) is described at — I have a JWKS which exposes my public keyset. Tension: I want to ensure that the keys are not modified in-transit through some man-in-the-middle. Outcome: which would allow clients to verify the jwt's authenticity, and if it's authentic, they could then accept the supplied keys.
a306f7a8-b4cc-4632-9ca5-4ba8d04360fa
A way to do this (which is used in the wild) is described at — I have a JWKS which exposes my public keyset. Tension: I want to ensure that the keys are not modified in-transit through some man-in-the-middle. Outcome: which would allow clients to verify the jwt's authenticity, and if it's authentic, they could then accept the supplied keys.