Verification of RSA Signatures in JSON Web Tokens (RFC 7519 , JWT) seems to conain a lot of hand waving and “you should download this discovery document and parse that JSON to donload an other discovery file …” and actually very few implementations which actuaally jump through all those hoops. Not good.