I’m reading up on some OpenID Connect documentation trying to get my head around the protocol. I came across the issuer property that is common in the JWT tokens. How come this is required if we should always check the signature of the token against the expected endpoint?
I understand that one can validate against either a symmetric or asymmetric hash, but validation is expected either way.
Have I missed an important feature of the JWT?