Amending the JWKS domain and associated endpoints

We have recently changed domains and as such have uplifted all of the URL’s associated with our JWKS endpoints.

We have used the connection management tool within the INT environment to amend our CIS2 configuration and have also updated the JWKS address within the Digital Onboarding Portal.

We are experiencing an issue when requesting to exchange the auth token for an access token where we are informed that our KID is not present within the JWKS endpoint. We can however see the corresponding KID entry when viewing the JWKS endpoint.

We have spoken with the CIS2 who have referred us to this community as they believe the issue relates to the Digital Onboarding Portal which is managed by the API Management team.

Here is a sample response that we are currently receiving even though the KID is present and set in both locations.

{
    "error": "invalid_request",
    "error_description": "Invalid 'kid' header in client_assertion JWT - no matching public key",
    "message_id": "rrt-826575031932329240-a-geu2-1647767-107268927-1"
}

The JWKS endpoint specified in CIS2 Auth configuration is not the same one that the API platform uses/holds, unless you have configured the API platform to look at the same JWKS.

CIS2 Auth is the OIDC authentication platform
API-M has its own OAuth server for access.

Token exchange is where you swap the CIS2 Auth id token for an access token on the API platform
They are separate systems.

User-restricted RESTful APIs - CIS2 separate authentication and authorisation - NHS England Digital