While trying out https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html, getting the below error. What STS is actually looking for the validation? If the IDP's jwks API response contains x5c having public key and root CA certificates, can it handle token signature validation?
<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<Error>
<Type>Sender</Type>
<Code>InvalidIdentityToken</Code>
<Message>Couldn't retrieve verification key from your identity provider, please reference AssumeRoleWithWebIdentity documentation for requirements</Message>
</Error>
<RequestId>dfd6341d-9686-4acb-8e41-03471c6f5ef0</RequestId>
</ErrorResponse>