I've encountered a very strange issue and I don't know how how this is happening. My set up is AWS Cognito as Authorization Server and AAD as IDP. Cognito is talking to AAD via OIDC protocol. When a user authenticates successfully, AAD issues a ID token and redirects back to Cognito. However this ID token is signed by a key that does not exist in JWKS doc.
This is my JWKS doc https://login.microsoftonline.com/1d063515-6cad-4195-9486-ea65df456faa/discovery/v2.0/keys.
I decoded an ID token and found a different signing key.
I also noticed that this issue only happens to ID tokens. Access tokens are signed by a matching key in JWKS doc.
I tried signing from all devices and shut my laptop for a few hours but this issue still persists. I'm afraid my IT team can't help.
Does anyone know why this is happening?