I've encountered a very strange issue and I don't know how how this is happening. My set up is AWS Cognito as Authorization Server and AAD as IDP. Cognito is talking to AAD via OIDC protocol. When a user authenticates successfully, AAD issues a ID token and redirects back to Cognito. However this ID token is signed by a key that does not exist in JWKS doc.