Azure AD JWT Token Not Accepted by ServiceNow MCP Server – "Key ID not found in JWKS"

ubhimani
Tera Expert

4 weeks ago

Hi everyone,

I’m currently working on integrating authentication between Microsoft Azure Active Directory and the ServiceNow MCP server, and I’m running into an issue with JWT token validation.

 

We are implementing a token-based authentication flow where:

  • Users are authenticated via Azure AD
  • A JWT access token is generated using OAuth 2.0 / OpenID Connect
  • This token is then used to authenticate requests to the ServiceNow MCP server

The goal is to enable secure, token-based authentication using Azure AD–issued tokens.


Current Setup

  • Identity Provider: Microsoft Azure Active Directory
  • Authentication Protocol: OAuth 2.0 / OpenID Connect
  • Token Type: JWT Access Token
  • API Testing Tool: Insomnia
  • Target System: ServiceNow MCP Server

Observed Behavior

  • Azure AD authentication is working as expected
    • Successfully generating JWT access tokens via Insomnia
    • Token appears structurally valid and contains expected claims
  • However, when using the same token to authenticate with the ServiceNow MCP server:
    • The request fails during authentication

Error Message

 

Streamable HTTP error: Error POSTing to endpoint:
{
"error": "Authentication failed",
"message": "Key ID not found in JWKS",
"details": "Please provide a valid JWT token"
}
 

What We’re Trying to Understand

  • How does ServiceNow MCP validate JWT tokens against JWKS?
  • Does MCP require explicit configuration of Azure AD’s JWKS endpoint?
  • Are there any additional steps required to trust external IdPs like Azure AD?
  • Could this be related to key rotation, kid mismatch, or issuer/audience validation?

Additional Context

  • Token includes a kid in the header
  • Azure AD JWKS endpoint is accessible and returns signing keys
  • No custom token manipulation is being performed

 

Has anyone successfully configured Azure AD JWT authentication with the ServiceNow MCP server?

Any pointers on:

  • Required MCP configuration for external JWKS validation
  • Common pitfalls with Azure AD tokens
  • Debugging "Key ID not found in JWKS" errors

would be really helpful.


Thanks in advance for your help!

0 Helpfuls
  • 1,277 Views
2 REPLIES 2

JaishreeR
Giga Guru

4 weeks ago

Hi @ubhimani - Can you provide the architecture digram of what you're trying to implement to analyze and provide solution ?

0 Helpfuls

Tanushree Maiti
Kilo Patron

4 weeks ago

Hi @ubhimani 

 

C)Regarding  Debugging "Key ID not found in JWKS" errors 

 

1)As per KB : KB2780010 JSON Web key set (JWKS) URL for inbound integration  -

Ensure the JWKS URL in the OAuth JWT Bearer Grant configuration matches the endpoint of your Identity Provider (e.g., Azure AD) exactly.

 

Resolution

This approach was implemented in the Zurich version to simplify configuration because you can paste the JWKS URL directly into the designated field without worrying about manual JWT key mapping.
Also, using the JWKS URL for the inbound JWT Bearer grant type is supported to get a token that works on the ServiceNow site.

Step-by-step configuration instructions to update the JWKS URL field:

- Select 'Inbound Integrations' module from the filter navigator

- Click New Integration and select 'OAuth JWT bearer grant.'

- Past JWKS URL from IDP under JWKS URL (JSON Web Key Set

- For the JWKS URL from IDP, need to copythe  URL from the Identity Provider.

 

2)  If the Identity Provider (IdP) has recently rotated its signing keys, the ServiceNow instance may be using a cached version of the JWKS that does not contain the new  kid.

Refer: Steps to manually refresh the JWKS URI if the automatic refresh fails or if you rotate the public ke... 

 

3)If ServiceNow is unable to access the external JWKS endpoint (e.g, if it’s blocked by a firewall), it won’t be able to retrieve the keys.

Make sure the endpoint is publicly reachable or allowed through your network configuration.

 

Also refer: Private Key JWT Support for OAuth 2.0 Client Authentication 

 

B. Regarding ,Common pitfalls with Azure AD tokens :

In my project , we have faced this.

1. When using the Authorization Code grant type, failing to include the offline_access scope will prevent ServiceNow from receiving a refresh token.

Without it, the access token will expire (usually after one hour), requiring manual re-authentication.

 

 For Client Credentials flows, Azure AD requires scopes to be suffixed with ./default (i.e https://graph.microsoft.com/.default) rather than listing individual permissions.

 

A. Regarding  Required MCP configuration for external JWKS validation

Refer , if it helps: 

Create an MCP Connector with OAuth 2.1 

Federated Token Authentication for ServiceNow API Access (Inbound Authentication)

Integrate ServiceNow with Azure Active directory 

 

Regarding   Azure AD JWT authentication with the ServiceNow MCP server  , Refer : Securing MCP Servers with Azure AD and JWT-based Role Authorization 

                      

Please mark this response as Helpful & Accept it as solution if it assisted you with your question.
Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin:
0 Helpfuls