AWS Cognito: invalid token signature, could not match the desired key identifier within the list of keys

Question

I'm trying to connect an external Identity Provider to AWS Cognito using OpenId Connect. I have encountered several issues that I have managed to overcome by passing AWS requests through some Python Lambda APIs that add/rename OpenId Connect parameters that AWS Cognito does not provide natively. I am close to the end of the login process where the JWT provided by the Identity Provider must be verified by AWS Cognito using the Identity Provider's JWKS certificate.

Its at this point that Cognito terminates the login process with this message appended to the Callback URL: #error_description=invalid_token_signature%3A+Could+not+match+the+desired+key+identifier+within+the+list+of+keys&error=invalid_request

The only semi-helpful thing I could find by googling is this thread on the AWS support forums: https://forums.aws.amazon.com/message.jspa?messageID=878359

It appears in that thread that the well known JWKS URL did not contain a kid key in the JSON.

In my case the JWKS kid DOES appear in the Identity Provider's JWKS data:

   "keys":[ 
      { 
         "kty":"RSA",
         "e":"AQAB",
         "n":"qRoNXLUugbenQTBHswfiGoKuhKkvUPP6A1GllxEZEAX86FiFSrXr7x_suHZ4cBytsmtFuYGymJZAGTk7DLzvMW0BHZpVtMZ3qvBDsYbNQGN4oLLxIy5-Q1rT1XTZhNkJwaj7gndbKHpQ33FqNQphhdchXB28N9GekDCJKzwEEThhxHkBxhq-hYAkd6rZ2fLiiyd5C4MSO0pMB-E_oGrNdYhCoydaFqVAhojn8am9za-JkjZIE9-Shlv_CQGt0yr91h3agVxeR2aeuZjQmvrhALJUeeJxG4D_Xl-w4v_O6nl0nllKXKHFxjP4ejDdNbht2a1L9BgJoYBjq6pUcWT49w",
         "kid":"jBiPzwFLIHbNa0SNXKJ6IJFacuMeSdqdsHSOyC4yXio"
      }
   ]
}

Does anyone know the root cause of the issue? Do I need to tweak the JWKS JSON provided to AWS in some way to make this error go away?

AWS Cognito: invalid token signature, could not match the desired key identifier within the list of keys

Answers (1)

Related Questions