diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
index bd039d8d2..bf1f5215c 100644
--- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
+++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
@@ -389,7 +389,10 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
 				claimsSet.setIssueTime(now);
 				claimsSet.setNotBeforeTime(now);
 
-				SignedJWT jwt = new SignedJWT(new JWSHeader(alg), claimsSet);
+				JWSHeader header = new JWSHeader(alg, null, null, null, null, null, null, null, null, null,
+						signer.getDefaultSignerKeyId(),
+						null, null);
+				SignedJWT jwt = new SignedJWT(header, claimsSet);
 
 				signer.signJwt(jwt, alg);
 
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java
index b9aae1acf..0b9111e17 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java
@@ -181,7 +181,10 @@ public class DefaultOIDCTokenService implements OIDCTokenService {
 						|| signingAlg.equals(JWSAlgorithm.HS384)
 						|| signingAlg.equals(JWSAlgorithm.HS512)) {
 
-					idToken = new SignedJWT(new JWSHeader(signingAlg), idClaims);
+					JWSHeader header = new JWSHeader(signingAlg, null, null, null, null, null, null, null, null, null,
+							jwtService.getDefaultSignerKeyId(),
+							null, null);
+					idToken = new SignedJWT(header, idClaims);
 
 					JWTSigningAndValidationService signer = symmetricCacheService.getSymmetricValidtor(client);
 
@@ -288,7 +291,10 @@ public class DefaultOIDCTokenService implements OIDCTokenService {
 		claims.setJWTID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it
 
 		JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm();
-		SignedJWT signed = new SignedJWT(new JWSHeader(signingAlg), claims);
+		JWSHeader header = new JWSHeader(signingAlg, null, null, null, null, null, null, null, null, null,
+				jwtService.getDefaultSignerKeyId(),
+				null, null);
+		SignedJWT signed = new SignedJWT(header, claims);
 
 		jwtService.signJwt(signed);
 
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
index 0a3ea618e..19d2cf038 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
@@ -101,8 +101,10 @@ public class ConnectTokenEnhancer implements TokenEnhancer {
 		claims.setJWTID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it
 
 		JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm();
-
-		SignedJWT signed = new SignedJWT(new JWSHeader(signingAlg), claims);
+		JWSHeader header = new JWSHeader(signingAlg, null, null, null, null, null, null, null, null, null,
+				jwtService.getDefaultSignerKeyId(),
+				null, null);
+		SignedJWT signed = new SignedJWT(header, claims);
 
 		jwtService.signJwt(signed);
 
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/view/UserInfoJWTView.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/view/UserInfoJWTView.java
index ba5e9a015..5a57d271d 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/view/UserInfoJWTView.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/view/UserInfoJWTView.java
@@ -136,8 +136,10 @@ public class UserInfoJWTView extends UserInfoView {
 				if (client.getUserInfoSignedResponseAlg() != null) {
 					signingAlg = client.getUserInfoSignedResponseAlg(); // override with the client's preference if available
 				}
-
-				SignedJWT signed = new SignedJWT(new JWSHeader(signingAlg), claims);
+				JWSHeader header = new JWSHeader(signingAlg, null, null, null, null, null, null, null, null, null,
+						jwtService.getDefaultSignerKeyId(),
+						null, null);
+				SignedJWT signed = new SignedJWT(header, claims);
 
 				if (signingAlg.equals(JWSAlgorithm.HS256)
 						|| signingAlg.equals(JWSAlgorithm.HS384)
diff --git a/uma-server/src/main/java/org/mitre/uma/service/impl/DefaultUmaTokenService.java b/uma-server/src/main/java/org/mitre/uma/service/impl/DefaultUmaTokenService.java
index fff7f82ec..9b3a0e6d0 100644
--- a/uma-server/src/main/java/org/mitre/uma/service/impl/DefaultUmaTokenService.java
+++ b/uma-server/src/main/java/org/mitre/uma/service/impl/DefaultUmaTokenService.java
@@ -104,7 +104,10 @@ public class DefaultUmaTokenService implements UmaTokenService {
 
 
 		JWSAlgorithm signingAlgorithm = jwtService.getDefaultSigningAlgorithm();
-		SignedJWT signed = new SignedJWT(new JWSHeader(signingAlgorithm), claims);
+		JWSHeader header = new JWSHeader(signingAlgorithm, null, null, null, null, null, null, null, null, null,
+				jwtService.getDefaultSignerKeyId(),
+				null, null);
+		SignedJWT signed = new SignedJWT(header, claims);
 
 		jwtService.signJwt(signed);