Invalid token: Invalid JOSE Header

Problem statement

Using Angular 14 with Auth0 Angular SDK while obtaining a token using “getAccessTokenSilently” and using this access token in an application can generate the below error.

error : "invalid_token"
error_description : "Invalid JOSE Header kid (xnNEyhXArlnU_oUgEzLpP)"

Solution

The ‘kid’ claim is an optional header claim, used to specify the key for validating the signature when using RS256 as the signing algorithm.

‘kid’ is not present if using HS256 as the signing algorithm. This means the same key will be used to generate the signature and subsequently validate it - this key must be kept confidential and only shared by parties that need it for validating a JWT.

If using RS256, ‘kid’ is included in the header so that the corresponding public key for the private key used to generate the signature can be identified from the list of public keys available in the JWKS endpoint. This is particularly useful during key rotation.

Check application for the registered signing algorithm and be sure the app is configured the same.