ID tokens are signed by a key that does not exist

%3CLINGO-SUB%20id%3D%22lingo-sub-1526675%22%20slang%3D%22en-US%22%3EID%20tokens%20are%20signed%20by%20a%20key%20that%20does%20not%20exist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1526675%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20encountered%20a%20very%20strange%20issue%20and%20I%20don't%20know%20how%20how%20this%20is%20happening.%20My%20set%20up%20is%20AWS%20Cognito%20as%20Authorization%20Server%20and%20AAD%20as%20IDP.%20Cognito%20is%20talking%20to%20AAD%20via%20OIDC%20protocol.%20When%20a%20user%20authenticates%20successfully%2C%20AAD%20issues%20a%20ID%20token%20and%20redirects%20back%20to%20Cognito.%20However%20this%20ID%20token%20is%20signed%20by%20a%20key%20that%20does%20not%20exist%20in%20JWKS%20doc.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20my%20JWKS%20doc%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2F1d063515-6cad-4195-9486-ea65df456faa%2Fdiscovery%2Fv2.0%2Fkeys%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2F1d063515-6cad-4195-9486-ea65df456faa%2Fdiscovery%2Fv2.0%2Fkeys.%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20decoded%20an%20ID%20token%20and%20found%20a%20different%20signing%20key.%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-json%22%3E%3CCODE%3E%7B%0A%20%20%22typ%22%3A%20%22JWT%22%2C%0A%20%20%22alg%22%3A%20%22RS256%22%2C%0A%20%20%22kid%22%3A%20%22ylQQc6jLgNEIt8AMAPm8jR27QCE%22%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20also%20noticed%20that%20this%20issue%20only%20happens%20to%20ID%20tokens.%20Access%20tokens%20are%20signed%20by%20a%20matching%20key%20in%20JWKS%20doc.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tried%20signing%20from%20all%20devices%20and%20shut%20my%20laptop%20for%20a%20few%20hours%20but%20this%20issue%20still%20persists.%20I'm%20afraid%20my%20IT%20team%20can't%20help.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20why%20this%20is%20happening%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1526675%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EJWT%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOIDC%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Hi,

 

I've encountered a very strange issue and I don't know how how this is happening. My set up is AWS Cognito as Authorization Server and AAD as IDP. Cognito is talking to AAD via OIDC protocol. When a user authenticates successfully, AAD issues a ID token and redirects back to Cognito. However this ID token is signed by a key that does not exist in JWKS doc. 

 

This is my JWKS doc https://login.microsoftonline.com/1d063515-6cad-4195-9486-ea65df456faa/discovery/v2.0/keys.

 

I decoded an ID token and found a different signing key.

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "ylQQc6jLgNEIt8AMAPm8jR27QCE"
}

 

I also noticed that this issue only happens to ID tokens. Access tokens are signed by a matching key in JWKS doc. 

 

I tried signing from all devices and shut my laptop for a few hours but this issue still persists. I'm afraid my IT team can't help. 

 

Does anyone know why this is happening?

0 Replies