ID tokens are signed by a key that does not exist

New Contributor

Hi,

 

I've encountered a very strange issue and I don't know how how this is happening. My set up is AWS Cognito as Authorization Server and AAD as IDP. Cognito is talking to AAD via OIDC protocol. When a user authenticates successfully, AAD issues a ID token and redirects back to Cognito. However this ID token is signed by a key that does not exist in JWKS doc. 

 

This is my JWKS doc https://login.microsoftonline.com/1d063515-6cad-4195-9486-ea65df456faa/discovery/v2.0/keys.

 

I decoded an ID token and found a different signing key.

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "ylQQc6jLgNEIt8AMAPm8jR27QCE"
}

 

I also noticed that this issue only happens to ID tokens. Access tokens are signed by a matching key in JWKS doc. 

 

I tried signing from all devices and shut my laptop for a few hours but this issue still persists. I'm afraid my IT team can't help. 

 

Does anyone know why this is happening?

0 Replies