Currently, we embed the public key in the application for JWT validation. And we found the manual key rotation is quite hard. For example, the mobile app cannot switch the key on the same day when we replace the key from the server.
So, we are working on a automatic key rotation approach. The idea is the get the clients to switch to JWKS endpoint so that they can switch the new key without manual update.
I would like to ask do we need https to protect the JKWS endpoint? Because if we use https using internal CA or self-signed cert, we may have to manually replace the cert in every clients when it expires. This defeats the purpose of automatic key rotation.
You want TLS at JWKS endpoint. Without TLS you will have no guarantee that the keys are coming from your server (someone will be able to spoof the response). So TLS at the JWKS endpoint is a must.
You don't need mutual TLS, unless there are some high security requirements for that.
As you pointed out it's best to use certs signed by a trusted CA for that purpose.