11Mar
Is it necessary to verify iss claim in a jwt if the jwk_urls are configured?
I am using auth0, and I have a setup a custom domain. As a result, depending on how I login, I can have multiple iss claims, for example :
So I have to configure all my backend services to accept both these iss claims. I was wondering, if I always check the jwt signature with the jwks url (either from auth0 domain or mine, it will lead to the same document), is it ok to just skip iss verification, as I can verify that the issuer is the one hosting my jwks_url page ?
