oauth oauth-2.0 jwt openid identityserver4

How can I manually validate token I got from my custom authorization server by using jwt.io?

I am learning about OAuth2 and OpenID Connect by experimenting with ASP.NET Core and IdentityServer4. So far I created a protected API server, an authorization server and a client by following a certain Udemy course. Things worked out well as client is able to get access token from the authorization server and use it to access protected API in the ASP.NET Core Web API project.

However, I am curious how can I manually validate JWT I get from my authorization server. The token I get is this:

eyJhbGciOiJSUzI1NiIsImtpZCI6IjdiMjM1NzYyMTRlOTg3ZjE3NTdjMWYxNDE1ZTg4OGEyIiwidHlwIjoiSldUIn0.eyJuYmYiOjE1NTMyNTYxNzMsImV4cCI6MTU1MzI1OTc3MywiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwIiwiYXVkIjpbImh0dHA6Ly9sb2NhbGhvc3Q6NTAwMC9yZXNvdXJjZXMiLCJiYW5rT2ZEb3ROZXRBcGkiXSwiY2xpZW50X2lkIjoiY2xpZW50Iiwic2NvcGUiOlsiYmFua09mRG90TmV0QXBpIl19.boION1QMOxuHxgIkBT0hZchkCEzINSpIS20Az5HkkkkrbH72IHqC2u9tOQobCsPt4okSPIuKGmgsGY2oyPMNcQpZPAOivmKXknhij_lhTv7pzaSXmFFSSpih-eigk4243VkGz8fTH9vA_IHmQ59o9zv0Wva_pKBt9lBSd39BDocNblJR092VHl66gAp79iEJctDzEKBBdN_E-RCrgPPsetU_sO0wqgOuxA0wECAo_jQhPu3LkuU9sKfj2HAFGLVxwz0Is3SAg1XIXeZylivAJdXThMkVypjrFBTeehso_9g26MVY4bKCfZ5Bx75NmYUbOfpX1gLPSo0CWvTfHhwaNg

When I decode it on jwt.io website I get Header:

{
  "alg": "RS256",
  "kid": "7b23576214e987f1757c1f1415e888a2",
  "typ": "JWT"
}

and Payload:

{
  "nbf": 1553256173,
  "exp": 1553259773,
  "iss": "http://localhost:5000",
  "aud": [
    "http://localhost:5000/resources",
    "bankOfDotNetApi"
  ],
  "client_id": "client",
  "scope": [
    "bankOfDotNetApi"
  ]
}

Since I used RS256 algorithm for signing I need to add public key to the jwt.io to verify the token. But where do I get this public key? If I go to discovery endpoint of my auth server (eg. http://localhost:5000/.well-known/openid-configuration/jwks) I get following data:

{
    keys: [
        {
            kty: "RSA",
            use: "sig",
            kid: "7b23576214e987f1757c1f1415e888a2",
            e: "AQAB",
            n: "509tIiUvmKkjjGOwzKElduRqpRND7YO-Op-IlsAeNwTlxY9_t22XfCqmxUyNvuvmdIVYXz-utl5bee3Tjwp8e7ok-Vn2uX-nI0jBcjTIKL0arbd7Qo5XgvICU4x-UcINrHtqMnY4S_R0uMKgaJkl3105bh9svQh--65tknjiKqmefT4M5SLHStWTisy2e0YwiaqvLam-O_rtbEawMy5-4avZep33y9Wz_JlgWyQ4jKD1Kn8mNGybjRoW3FJRkqzVNUSrGzjqwdDPL1cZOzM2HnbBqwVSFNnJiRYxPxKL_N8Q4CS9e2OVRjTof_EdzTTGC5mkOPhBCjpmvYS5d0j6JQ",
            alg: "RS256"
        }
    ]
}

But which of these is public key? I tried pasting values for n, e and kid to jwt.io page under public key textfield in the "verify signature" section, but I always get "Invalid signature" error.

So how do I get public key for RS256 token from discovery endpoint and how can I use it to validate token in manually in jwt.io website?

Solution

Put there the whole (first and only) keys object value, including curly brackets, at least the following:

{ 
     "kty":"RSA",  
     "kid":"7b23576214e987f1757c1f1415e888a2", 
     "e":"AQAB", 
     "n":"509tIiUvmKkjjGOwzKElduRqpRND7YO-Op-IlsAeNwTlxY9_t22XfCqmxUyNvuvmdIVYXz-utl5bee3Tjwp8e7ok-Vn2uX-nI0jBcjTIKL0arbd7Qo5XgvICU4x-UcINrHtqMnY4S_R0uMKgaJkl3105bh9svQh--65tknjiKqmefT4M5SLHStWTisy2e0YwiaqvLam-O_rtbEawMy5-4avZep33y9Wz_JlgWyQ4jKD1Kn8mNGybjRoW3FJRkqzVNUSrGzjqwdDPL1cZOzM2HnbBqwVSFNnJiRYxPxKL_N8Q4CS9e2OVRjTof_EdzTTGC5mkOPhBCjpmvYS5d0j6JQ"
}