Invalid token - Invalid JOSE Header kid

Problem statement

We are using Angular 14 with the Auth0 Angular SDK. We are getting the token using “getAccessTokenSilently” and using this access_token in our API’s. However, we encountered the following error:

error : "invalid_token"
error_description : "Invalid JOSE Header kid (xnNEyhXArlnU_oUgEzLpP)"

Solution

In your case, the issue lies in the ‘kid’ claim, which is an optional header claim used to specify the key for validating the signature, specifically when employing RS256 as your signing algorithm.

However, since you are using HS256 as your signing algorithm, the ‘kid’ is not present. This indicates that the same key will be used to both generate and subsequently validate the signature. It’s imperative to keep this key confidential and only share it among the parties that require it for validating a JSON Web Token (JWT).

If you were using RS256, the ‘kid’ would be included in the header. This inclusion enables the corresponding public key to be identified from the list of public keys available in the JSON Web Key Set (JWKS) endpoint. This feature is particularly valuable during key rotation.

To resolve this, you need to ensure that your application’s registered signing algorithm matches your app’s configuration.