JWT 'kid' invalid

I am integrating custom JWT authentication in MongoDB. I have used the correct JWK URI -

https://{auth_server}/.well-known/jwks.json

But whenever I try to access the api with the JWT provided by Auth0 → API → Test Tab-> cURL command, I am always running into ‘invalid kid’ error. I have verified the kid in JWT and jwks.json are the same. I suspect the kid provided by Auth0 is invalid. Please help in rectifying this issue.

Hi @shaswat607,

Can you please share more details:

  • what is throwing the error? An Auth0 API, or a custom API?
  • If it is a custom API, please provide a code snippet
  • Please provide a sample token with sensitive data removed

Hi @dan.woda, thanks for responding.
I have GraphQL APIs setup in MongoDB Atlas. In for it’s Authentication, I am setting up Custom JWT Auth using Auth0.

First I created an API in Auth0, with Audience as the GraphQL Endpoint in Atlas.

Then to setup custom JWT auth in Atlas, I provided the JWK URI, and the Audience same as what I setup the Auth0 API with.

When I run the query with a test JWT token, I receive "error": "value of 'kid' has invalid format",

Test JWT - eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IldJeWhoLVlHamY1Z2dFdGdQa1ViUSJ9.eyJpc3MiOiJodHRwczovL2Rldi1mZWNmN3IzeC51cy5hdXRoMC5jb20vIiwic3ViIjoib0V2amFhclYxOHZ6MHQ4WnF5dEdDdUl5SURkTlhQNFJAY2xpZW50cyIsImF1ZCI6Imh0dHBzOi8vdXMtZWFzdC0xLmF3cy5yZWFsbS5tb25nb2RiLmNvbS9hcGkvY2xpZW50L3YyLjAvYXBwL3JlZm95ZXItZGV2LWFwcC1vZGJuZi9ncmFwaHFsLyIsImlhdCI6MTY4MjM2MDYzOCwiZXhwIjoxNjgyNDQ3MDM4LCJhenAiOiJvRXZqYWFyVjE4dnowdDhacXl0R0N1SXlJRGROWFA0UiIsImd0eSI6ImNsaWVudC1jcmVkZW50aWFscyJ9.OJGXrk40hn1-mSI7BP6eO7sXbreEDx50pUEfvx4KZMpoNsIOxxq-fjKoAGN4W-Vca_fIZP4tHDNlHbi4D0iqF7vcELWOdc3YqoFSLF7dn8D_5D2833uuFtxGk4A-TtDG71w5O-16zP_b0XJLexw-xn-LZL1TVMGeRZ44eDsFZ6F2YX6uE6J5584I7siyFMCPzEl5FBrp0F1qDvno9lJ0nwTUBdj8cLYEcoYt6XUfFtm910sQeTO90fbY2JI71nsS4Rw4c0GEOLT1uqnJn63Ui9LmtZQQkjRLiAHfzqpxCBMI2OHggIJz7JjQ9Li1NBvKEHcNTLhxvFvAFKMaN30qUQ

Moreover, If I use SDK to fetch the access token using auth0.getAccessTokenSilently(), I get an invalid token. Here is an example:
eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIiwiaXNzIjoiaHR0cHM6Ly9kZXYtZmVjZjdyM3gudXMuYXV0aDAuY29tLyJ9…F3kcxBqU1ZupVvkS.mn9CEV1ROINNbhRLprcXhEP3cKg7-Ps8QsNVilhDvx7pdZRFwPvJRDwp9WES3ZnV7LayVBqRzmfdeREXnmfQ7jlZV_vzTn1gjjzA9y_F5WFKyf44GE0RxaANdGOuRRNel-g0wZ8qTF231XslqTb5cxDEmUUZ8qImqjTIXE0voVwDiVG7a9SDkCIRWMTLphNf_nw_7HJHERlkFiq38es7qjFS-PTiPZXGIi-4wiMgz6lx_VejBq22Q9UyOhUWtQSLdqyE0FNTho4micqnrqlMdn7gH1KHRR9iAQbcL9KV8rg4IaWq5Y4oALGM2PJF_MAtz2E.fMvzHE9vvx0tMYapTgmCUQ

Something is really incorrect with how the tokens are being built by Auth0.

Thanks for the additional info.

The token you provided has a kid that matches the one from the JWKs endpoint. We can assume that is working properly.

How are you sending the JWT to Mongo? Could you please provide a code snippet?

I am providing it as a standard authorization bearer token. Could you try resetting the JWKs for my app? May be that would solve it?

Also, why does the SDK is fetching invalid JWT token? Could you please check what’s wrong here? Neither the Test JWT or the Real JWT is Valid.

Could you try rest the JWKs for my app? And I try again.

Auth0 issues two formats of tokens. JWTs (the first token you listed), and JWEs (the second token you listed). The second token is encrypted and cannot be unencrypted by an API outside of Auth0. The SDK is fetching an encrypted token because you aren’t specifying an audience.

The first token, the JWT, is correctly formed and matches the JWKs for your tenant. I have validated this token, and it works fine. Everything is working normally from Auth0. The API registered for that audience (mongo) should be able to consume that token.

Most likely, something is wrong with how mongo is consuming the token. If I search the error you listed, I can find that mongo doesn’t except tokens with the standard Authentication Bearer header. Have you tried searching the error you provided?

Thanks for looking up the MongoDB issue. So using the header does solve the issue. Also, thanks for pointing that I am missing the audience. So I added the Audience in the config code and the function getAccessTokenSilently does return a valid token that works.

1 Like

Great, glad we found a resolution.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.