11Mar
Is it necessary to verify iss claim in a jwt if the jwk_urls are configured?
I am using auth0, and I have a setup a custom domain. As a result, depending on how I login, I can have multiple iss
claims, for example :
So I have to configure all my backend services to accept both these iss
claims. I was wondering, if I always check the jwt signature with the jwks url (either from auth0 domain or mine, it will lead to the same document), is it ok to just skip iss
verification, as I can verify that the issuer is the one hosting my jwks_url page ?