I am very new to jwt and signature validation. I had a very basic query. I am generating a token from MSAL(AAD). When I use the token in jwt.io, I can see that it automatically populates the secret key and marks the signature as verified. How does jwt.io know about this?
From generating token point of view, I didn't mention anywhere explicitly to generate the token with any secret.
You don't show the details of your token here (which is ok), but I assume the token has a
kidand maybe also ajkuin the header.The
kidis the Key Id, and thejkuthe JSON Web Key Set URL. Under that URL (you can paste it to your browser to see) you can find a set of JWKs (JSON Web Keys), basically a collection of public keys in a special format. In case of tokens issued by AAD you the JWKS_URI can be found on https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration.JWT.io can read this information and find the key with the given
kidand verify the token based on that.This Q/A explains the verification of JWTs issued by AAD in more detail.