By default - the public key to validate the signature is embedded in the token response - that means the RP does
- Validate the signature using the embedded certificate
- Create the thumbprint (hash) over the embedded certificate and make sure that matches the configured thumbprint.
This way you don't need to deploy the cert on the RP.