Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,947 questions
JWT ID token using different jwks uri which has appid parameter
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 74%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
Shiva Kiran
0
Reputation points
JWT ID token generated in this Azure AD Application is using keys from "jwks_uri": "https://login.microsoftonline.com/{tenant_id}/discovery/keys?appid={client_id}" rather than using the keys from this link https://login.microsoftonline.com/{tenant_id}/v2.0/discovery/keys(i.e., this is the link provided in the openid metadata link in the application endpoints). Is there a way to make my application use public keys from standard link and not have extra appid parameter?
How is it affecting my application?
So we use AWS appsync. Appsync has this OIDC authorization method where it can auto validate the JWT token in the header of any request with the issuer URL. It basically adds the .well-known/openid-configuration to the end of the provided issuer_URL. In my case as the metadata document has the appid parameter at the end. it is not able to find the keys used in signature and is failing to validate the valid JWT id tokens. "
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 35,116 Reputation points Microsoft Employee2024-05-21T23:29:56.38+00:00 The JWKS Uri for Azure is this one:
https://login.microsoftonline.com/common/discovery/v2.0/keysIf your application has custom signing keys as a result of using the claims-mapping feature, you need to append an
appid(from your app registration) query parameter that contains the application ID to get ajwks_urithat points to the signing key information of the application. It sounds like this is the case for you.
Sign in to comment