cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ID tokens are signed by a key that does not exist

Alex_Lu
Copper Contributor

‎Jul 16 2020 07:50 AM - last edited on ‎Jan 14 2022 04:30 PM by

‎Jul 16 2020 07:50 AM - last edited on ‎Jan 14 2022 04:30 PM by

ID tokens are signed by a key that does not exist

Hi,

 

I've encountered a very strange issue and I don't know how how this is happening. My set up is AWS Cognito as Authorization Server and AAD as IDP. Cognito is talking to AAD via OIDC protocol. When a user authenticates successfully, AAD issues a ID token and redirects back to Cognito. However this ID token is signed by a key that does not exist in JWKS doc. 

 

This is my JWKS doc https://login.microsoftonline.com/1d063515-6cad-4195-9486-ea65df456faa/discovery/v2.0/keys.

 

I decoded an ID token and found a different signing key.

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "ylQQc6jLgNEIt8AMAPm8jR27QCE"
}

 

I also noticed that this issue only happens to ID tokens. Access tokens are signed by a matching key in JWKS doc. 

 

I tried signing from all devices and shut my laptop for a few hours but this issue still persists. I'm afraid my IT team can't help. 

 

Does anyone know why this is happening?

860 Views
0 Likes
0 Replies
Reply
0 Replies