Comment by masklinn
13 hours ago
What RFC? The oidc discovery spec has an example, and for change-password it’s just a redirect. RFC 8615 is about the existence and management of the .well-know namespace, so examples don’t really make sense.
13 hours ago
What RFC? The oidc discovery spec has an example, and for change-password it’s just a redirect. RFC 8615 is about the existence and management of the .well-know namespace, so examples don’t really make sense.
A JWKS is defined at /.well-known/jwks.json
It's a JSON array of public keys which you can use to validate a JWT which is what an OIDC token is.
Making it an array means you can rotate keys whenever but the validator is typically caching the public keys.
https://www.hanko.io/blog/understanding-jwks
Actually... found it https://datatracker.ietf.org/doc/html/rfc6749
And here's a PHP implementation that is perfect. https://github.com/thephpleague/oauth2-client