diff --git a/ChangeLog b/ChangeLog
index b413072..23abbe1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+01/13/2023
+- when parsing JWKs with an x5c claim the claim was wronly assumed to
+  be base64url encoded instead of base64 encoded;
+  see #460
+
 11/06/2022
 - a new option local_redirect_path can be used is situations where the
   redirect_uri as is visible to lua-resty-openidc is not simply the path
diff --git a/lib/resty/openidc.lua b/lib/resty/openidc.lua
index a73b714..0ab9745 100644
--- a/lib/resty/openidc.lua
+++ b/lib/resty/openidc.lua
@@ -844,7 +844,7 @@ end
 
 local function openidc_pem_from_x5c(x5c)
   log(DEBUG, "Found x5c, getting PEM public key from x5c entry of json public key")
-  local chunks = split_by_chunk(b64(openidc_base64_url_decode(x5c[1])), 64)
+  local chunks = split_by_chunk(x5c[1], 64)
   local pem = "-----BEGIN CERTIFICATE-----\n" ..
       table.concat(chunks, "\n") ..
       "\n-----END CERTIFICATE-----"