Merge pull request #226407 from dlepow/patch-174

prmerger-automator[bot] · web-flow · commit 7705ac4c63d8 · 2023-02-06T18:27:19.000Z
Update validate-jwt-policy.md
diff --git a/articles/api-management/validate-jwt-policy.md b/articles/api-management/validate-jwt-policy.md
@@ -119,6 +119,7 @@ The `validate-jwt` policy enforces existence and validity of a supported JSON we
     * **HS256** - the key must be provided inline within the policy in the Base64-encoded form. 
     * **RS256** - the key may be provided either via an OpenID configuration endpoint, or by providing the ID of an uploaded certificate (in PFX format) that contains the public key, or the modulus-exponent pair of the public key.
 * The policy supports tokens encrypted with symmetric keys using the following encryption algorithms: A128CBC-HS256, A192CBC-HS384, A256CBC-HS512.
+* To configure the policy with one or more OpenID configuration endpoints for use with a self-hosted gateway, the OpenID configuration endpoints URLs must also be reachable by the cloud gateway.
 * You can use access restriction policies in different scopes for different purposes. For example, you can secure the whole API with Azure AD authentication by applying the `validate-jwt` policy on the API level, or you can apply it on the API operation level and use `claims` for more granular control.
 
 
