Identity Provider Details to Use for iss and aud Claims, and for the JWKS URI
The identity provider that issued the JSON Web Token (JWT) determines the allowed values you have to specify for the issuer (iss) and the audience (aud) claims in the JWT. Which identity provider issued the JWT also determines the URI from which to retrieve the JSON Web Key Set (JWKS) to verify the signature on the JWT.
Note that regardless of identity provider, a JWKS can contain a maximum of ten keys.
Use the following table to find out what to specify for JWTs issued by the OCI IAM with Identity Domains, Oracle Identity Cloud Service (IDCS), Okta, and Auth0 identity providers.
| Identity Provider |
Issuer ( |
Audience ( |
Format of URI from which to retrieve the JWKS |
|---|---|---|---|
| OCI IAM with Identity Domains | https://identity.oraclecloud.com |
Customer-specific. See Managing Applications in the OCI IAM with Identity Domains documentation. |
https://<tenant-base-url>/admin/v1/SigningCert/jwk |
| IDCS | https://identity.oraclecloud.com/ |
Customer-specific. See Validating Access Tokens in the Oracle Identity Cloud Service documentation. |
https://<tenant-base-url>/admin/v1/SigningCert/jwk To obtain the JWKS without logging in to Oracle Identity Cloud Service, see Change Default Settings in the Oracle Identity Cloud Service documentation. |
| Okta | https://<your-okta-tenant-name>.com |
Customer-specific. The audience configured for the Authorization Server in the Okta Developer Console. See Additional validation for access tokens in the Okta documentation. |
https://<your-okta-tenant-name>.com/oauth2/<auth-server-id> /v1/keys See the Okta documentation. |
| Auth0 | https://<your-account-name>.auth0.com/ |
Customer-specific. See Audience in the Auth0 documentation. |
https://<your-account-name>.auth0.com/.well-known/jwks.json |