[AKS] add structured authn to preview (#36312)

* Add jwt authn paths, defs and parameters

* Add JWT examples

* Fix examples

* Fix create update example

* Fix another create or update example

* Fix lint

---------

Co-authored-by: Wei Chen <[email protected]>

Author: weichch

specification/containerservice/resource-manager/Microsoft.ContainerService/aks/preview/2025-07-02-preview/examples/JWTAuthenticators_Create_Or_Update.json

@@ -0,0 +1,146 @@
+{
+  "parameters": {
+    "api-version": "2025-07-02-preview",
+    "subscriptionId": "00000000-0000-0000-0000-000000000000",
+    "resourceGroupName": "rg1",
+    "resourceName": "clustername1",
+    "jwtAuthenticatorName": "jwt1",
+    "parameters": {
+      "properties": {
+        "issuer": {
+          "url": "https://example.com",
+          "audiences": [
+            "https://example.com/audience1",
+            "https://example.com/audience2"
+          ]
+        },
+        "claimValidationRules": [
+          {
+            "expression": "has(claims.sub)",
+            "message": "Sub is required"
+          },
+          {
+            "expression": "claims.sub != ''",
+            "message": "Sub cannot be empty"
+          }
+        ],
+        "claimMappings": {
+          "username": {
+            "expression": "'aks:jwt:' + claims.sub"
+          },
+          "groups": {
+            "expression": "claims.groups.split(',').map(group, 'aks:jwt:' + group)"
+          },
+          "extra": [
+            {
+              "key": "example.com/extrakey",
+              "valueExpression": "claims.customfield"
+            }
+          ]
+        },
+        "userValidationRules": [
+          {
+            "expression": "user.groups.all(group, group.startsWith('aks:jwt:admin:'))",
+            "message": "Must be in admin user group"
+          }
+        ]
+      }
+    }
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.ContainerService/managedClusters/clustername1/jwtAuthenticators/jwt1",
+        "type": "Microsoft.ContainerService/managedClusters/jwtAuthenticators",
+        "name": "jwt1",
+        "properties": {
+          "provisioningState": "Succeeded",
+          "issuer": {
+            "url": "https://example.com",
+            "audiences": [
+              "https://example.com/audience1",
+              "https://example.com/audience2"
+            ]
+          },
+          "claimValidationRules": [
+            {
+              "expression": "has(claims.sub)",
+              "message": "Sub is required"
+            },
+            {
+              "expression": "claims.sub != ''",
+              "message": "Sub cannot be empty"
+            }
+          ],
+          "claimMappings": {
+            "username": {
+              "expression": "'aks:jwt:' + claims.sub"
+            },
+            "groups": {
+              "expression": "claims.groups.split(',').map(group, 'aks:jwt:' + group)"
+            },
+            "extra": [
+              {
+                "key": "example.com/extrakey",
+                "valueExpression": "claims.customfield"
+              }
+            ]
+          },
+          "userValidationRules": [
+            {
+              "expression": "user.groups.all(group, group.startsWith('aks:jwt:admin:'))",
+              "message": "Must be in admin user group"
+            }
+          ]
+        }
+      }
+    },
+    "201": {
+      "body": {
+        "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.ContainerService/managedClusters/clustername1/jwtAuthenticators/jwt1",
+        "type": "Microsoft.ContainerService/managedClusters/jwtAuthenticators",
+        "name": "jwt1",
+        "properties": {
+          "provisioningState": "Succeeded",
+          "issuer": {
+            "url": "https://example.com",
+            "audiences": [
+              "https://example.com/audience1",
+              "https://example.com/audience2"
+            ]
+          },
+          "claimValidationRules": [
+            {
+              "expression": "has(claims.sub)",
+              "message": "Sub is required"
+            },
+            {
+              "expression": "claims.sub != ''",
+              "message": "Sub cannot be empty"
+            }
+          ],
+          "claimMappings": {
+            "username": {
+              "expression": "'aks:jwt:' + claims.sub"
+            },
+            "groups": {
+              "expression": "claims.groups.split(',').map(group, 'aks:jwt:' + group)"
+            },
+            "extra": [
+              {
+                "key": "example.com/extrakey",
+                "valueExpression": "claims.customfield"
+              }
+            ]
+          },
+          "userValidationRules": [
+            {
+              "expression": "user.groups.all(group, group.startsWith('aks:jwt:admin:'))",
+              "message": "Must be in admin user group"
+            }
+          ]
+        }
+      }
+    }
+  }
+}

specification/containerservice/resource-manager/Microsoft.ContainerService/aks/preview/2025-07-02-preview/examples/JWTAuthenticators_Delete.json

@@ -0,0 +1,17 @@
+{
+  "parameters": {
+    "api-version": "2025-07-02-preview",
+    "subscriptionId": "00000000-0000-0000-0000-000000000000",
+    "resourceGroupName": "rg1",
+    "resourceName": "clustername1",
+    "jwtAuthenticatorName": "jwt1"
+  },
+  "responses": {
+    "202": {
+      "headers": {
+        "Location": "https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.ContainerService/locations/eastus/operationStatus/default/operationId/00000000-0000-0000-0000-000000000000?api-version=2025-07-02-preview"
+      }
+    },
+    "204": {}
+  }
+}

specification/containerservice/resource-manager/Microsoft.ContainerService/aks/preview/2025-07-02-preview/examples/JWTAuthenticators_Get.json

@@ -0,0 +1,58 @@
+{
+  "parameters": {
+    "api-version": "2025-07-02-preview",
+    "subscriptionId": "00000000-0000-0000-0000-000000000000",
+    "resourceGroupName": "rg1",
+    "resourceName": "clustername1",
+    "jwtAuthenticatorName": "jwt1"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.ContainerService/managedClusters/clustername1/jwtAuthenticators/jwt1",
+        "type": "Microsoft.ContainerService/managedClusters/jwtAuthenticators",
+        "name": "jwt1",
+        "properties": {
+          "provisioningState": "Succeeded",
+          "issuer": {
+            "url": "https://example.com",
+            "audiences": [
+              "https://example.com/audience1",
+              "https://example.com/audience2"
+            ]
+          },
+          "claimValidationRules": [
+            {
+              "expression": "has(claims.sub)",
+              "message": "Sub is required"
+            },
+            {
+              "expression": "claims.sub != ''",
+              "message": "Sub cannot be empty"
+            }
+          ],
+          "claimMappings": {
+            "username": {
+              "expression": "'aks:jwt:' + claims.sub"
+            },
+            "groups": {
+              "expression": "claims.groups.split(',').map(group, 'aks:jwt:' + group)"
+            },
+            "extra": [
+              {
+                "key": "example.com/extrakey",
+                "valueExpression": "claims.customfield"
+              }
+            ]
+          },
+          "userValidationRules": [
+            {
+              "expression": "user.groups.all(group, group.startsWith('aks:jwt:admin:'))",
+              "message": "Must be in admin user group"
+            }
+          ]
+        }
+      }
+    }
+  }
+}

specification/containerservice/resource-manager/Microsoft.ContainerService/aks/preview/2025-07-02-preview/examples/JWTAuthenticators_List.json

@@ -0,0 +1,61 @@
+{
+  "parameters": {
+    "api-version": "2025-07-02-preview",
+    "subscriptionId": "00000000-0000-0000-0000-000000000000",
+    "resourceGroupName": "rg1",
+    "resourceName": "clustername1"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "value": [
+          {
+            "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.ContainerService/managedClusters/clustername1/jwtAuthenticators/jwt1",
+            "type": "Microsoft.ContainerService/managedClusters/jwtAuthenticators",
+            "name": "jwt1",
+            "properties": {
+              "provisioningState": "Succeeded",
+              "issuer": {
+                "url": "https://example.com",
+                "audiences": [
+                  "https://example.com/audience1",
+                  "https://example.com/audience2"
+                ]
+              },
+              "claimValidationRules": [
+                {
+                  "expression": "has(claims.sub)",
+                  "message": "Sub is required"
+                },
+                {
+                  "expression": "claims.sub != ''",
+                  "message": "Sub cannot be empty"
+                }
+              ],
+              "claimMappings": {
+                "username": {
+                  "expression": "'aks:jwt:' + claims.sub"
+                },
+                "groups": {
+                  "expression": "claims.groups.split(',').map(group, 'aks:jwt:' + group)"
+                },
+                "extra": [
+                  {
+                    "key": "example.com/extrakey",
+                    "valueExpression": "claims.customfield"
+                  }
+                ]
+              },
+              "userValidationRules": [
+                {
+                  "expression": "user.groups.all(group, group.startsWith('aks:jwt:admin:'))",
+                  "message": "Must be in admin user group"
+                }
+              ]
+            }
+          }
+        ]
+      }
+    }
+  }
+}