Access token suddenly stopped containing the `kid` header

emilhansen · May 4, 2022, 3:42pm

Our Authorisation just started failing when trying to verify users internally in the system.

We’ve been logging in via an SPA application to get an access token. We’ve then been using the header of that request to get the “kid” which we’ve been using to decode the token internally within our backend.
Today the access token stopped containing the kid header which means that we can no longer decode it.

We’ve not made any changes to our Auth0 configuration lately and this started failing simultaneously on all of our environments.

Has the Auth0 login process changed somehow that means that the access tokens are generated in a different way?

tyf · May 6, 2022, 12:19am

Hi there @emilhansen and welcome to the community!

Have you been able to make any progress on this?

I am not aware of any changes on Auth0’s end that would cause this - The only time I’ve seen an Access Token that doesn’t contain the kid header is if the access token was signed using HS256 as opposed to RS256. The reason being that the client secret is used in lieu of the kid in the context of HS256.

Let us know!

tyf · May 21, 2022, 12:20am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Access token kid Help	5	9325	June 29, 2020
idToken generated by impersonation does not contains 'kid' property JWT.io auth0	9	9632	April 2, 2019
Problem verifying ID token Help jwt , id_token	2	3401	August 26, 2019
Is it possible to return JWT Header''s KID field in AuthResult returned after Authentication? Help jwks , authentication , jwt-validation , openidconnect	4	5710	March 2, 2018
What is the origin of the "kid" claim in the JWT? Help jwt	6	14280	March 2, 2018

Access token suddenly stopped containing the `kid` header

Related topics