ID tokens are signed by a key that does not exist

Copper Contributor



I've encountered a very strange issue and I don't know how how this is happening. My set up is AWS Cognito as Authorization Server and AAD as IDP. Cognito is talking to AAD via OIDC protocol. When a user authenticates successfully, AAD issues a ID token and redirects back to Cognito. However this ID token is signed by a key that does not exist in JWKS doc. 


This is my JWKS doc


I decoded an ID token and found a different signing key.

  "typ": "JWT",
  "alg": "RS256",
  "kid": "ylQQc6jLgNEIt8AMAPm8jR27QCE"


I also noticed that this issue only happens to ID tokens. Access tokens are signed by a matching key in JWKS doc. 


I tried signing from all devices and shut my laptop for a few hours but this issue still persists. I'm afraid my IT team can't help. 


Does anyone know why this is happening?

0 Replies