JWT Bearer Token Validation

How does an API validate the JWT Bearer token without configuring a secret or a public key?

The authentication service will use the OIDC metadata endpoints to get the necessary information.

Steps:

1. The OpenID Configuration is read first: https://{issuer}/.well-known/openid-configuration
2. From there it will find the URL to the jwks_uri and then load that one: like https://{issuer}/.well-known/jwks.json
3. The public key(s) are loaded from that document and used to verify the incoming JWT Bearer tokens