Abusing JWT public keys without the public key
blog.silentsignal.eu> The main lesson is: one should not rely on the secrecy of public keys
... that might be why they are called "public" keys
Yet we've had people argue that they wouldn't give us the public part of their JWT RSA signing keypair, because "they wouldn't publish that anyway", hence this post.