Externally provided JWT Auth Token

I have a client that is doing their own SSO. They will produce the JWT Token themselves. How can I consume this token from within Istio for authentication? Is it best to import the keyset or for them to provide a url to verify the JWT? Whats the best way to access the URL for confirming this? Am I better off importing the validation key or pulling from a URL that they provide?