ID token issued by AAD doesn't match public signing key

%3CLINGO-SUB%20id%3D%22lingo-sub-1525653%22%20slang%3D%22en-US%22%3EID%20token%20issued%20by%20AAD%20doesn't%20match%20public%20signing%20key%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1525653%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20encountered%20an%20issue%20that%20ID%20tokens%20(JWT)%20issued%20by%20AAD%20do%20not%20match%20a%20public%20signing%20key.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20my%20JWKS%20url%3A%26nbsp%3B%3CA%20title%3D%22%22%20href%3D%22https%3A%2F%2Feur01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Flogin.microsoftonline.com%252F1d063515-6cad-4195-9486-ea65df456faa%252Fdiscovery%252Fv2.0%252Fkeys%26amp%3Bdata%3D02%257C01%257Cyu.kuang.lu%2540LEGO.com%257C83d34dcb3e744cd9498508d8294edcdf%257C1d0635156cad41959486ea65df456faa%257C1%257C0%257C637304765982427993%26amp%3Bsdata%3D9WgGhPx7T%252B9ngD3RSu6zT3ePFwIfr3IwKk2m9JiNAxE%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2F1d063515-6cad-4195-9486-ea65df456faa%2Fdiscovery%2Fv2.0%2Fkeys%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20the%20ID%20token%20I%20receive%20has%20a%20unmatched%20kid%20like%20below%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-json%22%3E%3CCODE%3E%7B%0A%26nbsp%3B%20%22typ%22%3A%20%22JWT%22%2C%0A%26nbsp%3B%20%22alg%22%3A%20%22RS256%22%2C%0A%26nbsp%3B%20%22kid%22%3A%20%22ylQQc6jLgNEIt8AMAPm8jR27QCE%22%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIt's%20been%20working%20fine%20until%20a%20couple%20of%20days%20ago.%20It%20is%20mentioned%20somewhere%20that%20AAD%20rotates%20public%20keys%20but%20it%20seems%20tokens%20might%20be%20persisted%20without%20knowledge%20that%20the%20signing%20key%20has%20changed.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHowever%20access%20token%20match%20one%20of%20the%20keys%20like%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-json%22%3E%3CCODE%3E%7B%0A%20%20%22typ%22%3A%20%22JWT%22%2C%0A%20%20%22nonce%22%3A%20%22ExKWqBKO2TvzbusXVkALk0RQhka3YiNxEKQg69gs27Q%22%2C%0A%20%20%22alg%22%3A%20%22RS256%22%2C%0A%20%20%22x5t%22%3A%20%22huN95IvPfehq34GzBDZ1GXGirnM%22%2C%0A%20%20%22kid%22%3A%20%22huN95IvPfehq34GzBDZ1GXGirnM%22%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIs%20this%20the%20expected%20behaviour%3F%20AAD%20is%20my%20IDP%20and%20AWS%20Cognito%20is%20the%20auth%20server%20in%20my%20set%20up.%20Because%20of%20this%20issue%2C%20Cognito%20is%20unable%20to%20verify%20signature%20of%20ID%20tokens%20therefore%20users%20can%20sign%20in%20but%20cannot%20proceed%20further%20because%20of%20this.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHas%20anyone%20come%20across%20a%20similar%20issue%20before%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1525653%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EID%20token%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOIDC%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1534914%22%20slang%3D%22en-US%22%3ERe%3A%20ID%20token%20issued%20by%20AAD%20doesn't%20match%20public%20signing%20key%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1534914%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F730306%22%20target%3D%22_blank%22%3E%40Alex_Lu%3C%2FA%3E%26nbsp%3BHi%2C%20is%20the%20id_token%20still%20valid%3F%20According%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fid-tokens%23validating-an-id_token%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fid-tokens%23validating-an-id_token%3C%2FA%3E%26nbsp%3Bid_token%20should%20be%20within%20validity%20period%2C%20I%20would%20say%20(hope)%20that%20Azure%20AD%20does%20not%20rotate%20the%20keys%20until%20the%20id_tokens%20issued%20with%20previous%20key%20are%20still%20valid.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMartin%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1552352%22%20slang%3D%22en-US%22%3ERe%3A%20ID%20token%20issued%20by%20AAD%20doesn't%20match%20public%20signing%20key%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1552352%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F213505%22%20target%3D%22_blank%22%3E%40Martin%20Rublik%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20reply.%20Yes%20it%20was%20still%20valid.%20I%20also%20waited%20for%20the%20token%20to%20expire%20and%20requested%20a%20new%20token%20and%20I%20still%20didn't%20see%20any%20changes.%20It's%20very%20odd.%20We%20had%20to%20switch%20to%20SAML%20as%20we%20were%20not%20able%20to%20find%20out%20exactly%20why%20AAD%20behaved%20like%20this.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1633983%22%20slang%3D%22en-US%22%3ERe%3A%20ID%20token%20issued%20by%20AAD%20doesn't%20match%20public%20signing%20key%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1633983%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F730306%22%20target%3D%22_blank%22%3E%40Alex_Lu%3C%2FA%3E%26nbsp%3BI've%20run%20into%20exactly%20the%20same%20problem%3A%20the%20signing%20key%20(for%20the%20id%20token)%20does%20not%20match%20any%20of%20the%20keys%20pulled%20from%20the%20JWK%20uri%20(%2Fdiscovery%2Fv2.0%2Fkeys)%20while%20the%20signing%20key%20for%20the%20access%20token%20does%20match%20one.%20Were%20you%20able%20to%20solve%20it%20somehow%3F%20It%20seems%20not%20much%20we%20can%20do%20until%20Azure%20fixes%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1634522%22%20slang%3D%22en-US%22%3ERe%3A%20ID%20token%20issued%20by%20AAD%20doesn't%20match%20public%20signing%20key%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1634522%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F781718%22%20target%3D%22_blank%22%3E%40jinsongz%3C%2FA%3E%2C%20I'm%20glad%20someone%20else%20has%20encountered%20the%20same%20issue.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20had%20no%20choice%20but%20to%20switch%20to%20SAML%20as%20the%20rest%20of%20the%20companies%20are%20all%20SAML%20based%20clients.%20Our%20set%20up%20is%20to%20have%20AWS%20cognito%20as%20authorization%20server%20with%20AAD%20as%20IDP.%20I%20suggest%20you%20follow%20the%20same%20pattern%20if%20you%20have%20a%20similar%20set%20up.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1874807%22%20slang%3D%22en-US%22%3ERe%3A%20ID%20token%20issued%20by%20AAD%20doesn't%20match%20public%20signing%20key%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1874807%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F730306%22%20target%3D%22_blank%22%3E%40Alex_Lu%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETry%20this%20endpoint%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2F%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2F%3CTENANT-NAME%3E.b2clogin.com%2F%3C%2FTENANT-NAME%3E%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CTENANT-NAME%3E.onmicrosoft.com%2F%3CPOLICY_NAME%3E%2Fdiscovery%2Fv2.0%2Fkeys%3C%2FPOLICY_NAME%3E%3C%2FTENANT-NAME%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2239530%22%20slang%3D%22en-US%22%3ERe%3A%20ID%20token%20issued%20by%20AAD%20doesn't%20match%20public%20signing%20key%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2239530%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F730306%22%20target%3D%22_blank%22%3E%40Alex_Lu%3C%2FA%3Eand%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F781718%22%20target%3D%22_blank%22%3E%40jinsongz%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EI%20had%20a%20same%20issue%20where%20the%20key%20id%20in%20the%20id%20tokens%26nbsp%3B%20were%20not%20found%20at%20%22https%3A%2F%2Flogin.microsoftonline.com%2F1d063515-6cad-4195-9486-ea65df456faa%2Fdiscovery%2Fv2.0%2Fkeys%22.%20Then%20I%20came%20across%20this%20piece%20in%20the%20documentation%20which%20says%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%22%3CSPAN%3EIf%20your%20app%20has%20custom%20signing%20keys%20as%20a%20result%20of%20using%20the%26nbsp%3Bclaims-mapping%3CSPAN%3E%26nbsp%3Bfeature%2C%20you%20must%20append%20an%26nbsp%3Bappid%3CSPAN%3E%26nbsp%3Bquery%20parameter%20containing%20the%20app%20ID%20to%20get%20a%26nbsp%3Bjwks_uri%3CSPAN%3E%26nbsp%3Bpointing%20to%20your%20app's%20signing%20key%20information%2C%20which%20should%20be%20used%20for%20validation.%20For%20example%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2F%7Btenant%7D%2F.well-known%2Fopenid-configuration%3Fappid%3D6731de76-14a6-49ae-97bc-6eba6914391e%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2F%7Btenant%7D%2F.well-known%2Fopenid-configuration%3Fappid%3D6731de76-14a6-49ae-97bc-6eba6914391e%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bcontains%20a%26nbsp%3Bjwks_uri%3CSPAN%3E%26nbsp%3Bof%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2F%7Btenant%7D%2Fdiscovery%2Fkeys%3Fappid%3D6731de76-14a6-49ae-97bc-6eba6914391e%26quot%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2F%7Btenant%7D%2Fdiscovery%2Fkeys%3Fappid%3D6731de76-14a6-49ae-97bc-6eba6914391e%22%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20updated%20my%20code%20to%20look%20for%20the%20jwks_uri%20as%20mentioned%20above%2C%20I%20was%20able%20to%20find%20the%20matching%20key%20Id.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2316137%22%20slang%3D%22en-US%22%3ERe%3A%20%D0%A2%D0%BE%D0%BA%D0%B5%D0%BD%20ID%2C%20%D0%B2%D1%8B%D0%BF%D1%83%D1%89%D0%B5%D0%BD%D0%BD%D1%8B%D0%B9%20AAD%2C%20%D0%BD%D0%B5%20%D1%81%D0%BE%D0%BE%D1%82%D0%B2%D0%B5%D1%82%D1%81%D1%82%D0%B2%D1%83%D0%B5%D1%82%20%D0%BF%D1%83%D0%B1%D0%BB%D0%B8%D1%87%D0%BD%D0%BE%D0%BC%D1%83%20%D0%BA%D0%BB%D1%8E%D1%87%D1%83%20%D0%BF%D0%BE%D0%B4%D0%BF%D0%B8%D1%81%D0%B0%D0%BD%D0%B8%D1%8F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2316137%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1010385%22%20target%3D%22_blank%22%3E%40Ashish-Prakash-Patil%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi,

 

I've encountered an issue that ID tokens (JWT) issued by AAD do not match a public signing key. 

 

This is my JWKS url: https://login.microsoftonline.com/1d063515-6cad-4195-9486-ea65df456faa/discovery/v2.0/keys

 

However the ID token I receive has a unmatched kid like below

 

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "ylQQc6jLgNEIt8AMAPm8jR27QCE"
}

 

 

It's been working fine until a couple of days ago. It is mentioned somewhere that AAD rotates public keys but it seems tokens might be persisted without knowledge that the signing key has changed. 

 

However access token match one of the keys like

 

{
  "typ": "JWT",
  "nonce": "ExKWqBKO2TvzbusXVkALk0RQhka3YiNxEKQg69gs27Q",
  "alg": "RS256",
  "x5t": "huN95IvPfehq34GzBDZ1GXGirnM",
  "kid": "huN95IvPfehq34GzBDZ1GXGirnM"
}

 

 

Is this the expected behaviour? AAD is my IDP and AWS Cognito is the auth server in my set up. Because of this issue, Cognito is unable to verify signature of ID tokens therefore users can sign in but cannot proceed further because of this.

 

Has anyone come across a similar issue before?

7 Replies

@Alex_Lu Hi, is the id_token still valid? According to https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#validating-an-id_token id_token should be within validity period, I would say (hope) that Azure AD does not rotate the keys until the id_tokens issued with previous key are still valid.

 

Martin

@Martin Rublik Thanks for the reply. Yes it was still valid. I also waited for the token to expire and requested a new token and I still didn't see any changes. It's very odd. We had to switch to SAML as we were not able to find out exactly why AAD behaved like this. 

@Alex_Lu I've run into exactly the same problem: the signing key (for the id token) does not match any of the keys pulled from the JWK uri (/discovery/v2.0/keys) while the signing key for the access token does match one. Were you able to solve it somehow? It seems not much we can do until Azure fixes it.

Hi @jinsongz, I'm glad someone else has encountered the same issue. 

 

We had no choice but to switch to SAML as the rest of the companies are all SAML based clients. Our set up is to have AWS cognito as authorization server with AAD as IDP. I suggest you follow the same pattern if you have a similar set up.

@Alex_Lu 

Try this endpoint 

https://<tenant-name>.b2clogin.com/

<tenant-name>.onmicrosoft.com/<policy_name>/discovery/v2.0/keys

@Alex_Luand @jinsongz 

 

I had a same issue where the key id in the id tokens  were not found at "https://login.microsoftonline.com/1d063515-6cad-4195-9486-ea65df456faa/discovery/v2.0/keys". Then I came across this piece in the documentation which says 

 

"If your app has custom signing keys as a result of using the claims-mapping feature, you must append an appid query parameter containing the app ID to get a jwks_uri pointing to your app's signing key information, which should be used for validation. For example   https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration?appid=6731de76-14a6-49ae... contains a jwks_uri of  https://login.microsoftonline.com/{tenant}/discovery/keys?appid=6731de76-14a6-49ae-97bc-6eba6914391e...

 

When I updated my code to look for the jwks_uri as mentioned above, I was able to find the matching key Id.