I've developed an asp.net web application that is protected by Azure AD. The OpenId connect owin middleware takes care of validating the JWT token from Azure AD. How does the openid connect owin software actually validate the token? As I have understood JWT, both the sender (the server generating the JWT) and the receiver (the application consuming a JWT) needs to share a secret, but what secret is that? I can't see that I have provided owin with any secrets? And I even see Javascript examples, where the JWT token is validated in javascript, how can that work, javascript can't keep anything secret.
Open ID Connect server signs tokens using a private key. Client validates token signature using a public key available through public metadata endpoint. There is no shared secret.
For Azure AD read Fetch the OpenID Connect metadata document