Skip to content

Commit 7a2eb0d

Browse files
prmerger-automator[bot]prmerger-automator[bot]
authored
Merge pull request #215505 from dlepow/jwt
[APIM] Clarify OIDC endpoints for Azure AD in validate-jwt policy
2 parents 3480fc4 + 010fe4c commit 7a2eb0d

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

articles/api-management/api-management-access-restriction-policies.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -650,7 +650,7 @@ The `validate-jwt` policy enforces existence and validity of a JSON web token (J
650650

651651
```xml
652652
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
653-
<openid-config url="https://login.microsoftonline.com/contoso.onmicrosoft.com/.well-known/openid-configuration" />
653+
<openid-config url="https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0/.well-known/openid-configuration" />
654654
<audiences>
655655
<audience>25eef6e4-c905-4a07-8eb4-0d08d5df8b3f</audience>
656656
</audiences>
@@ -737,7 +737,7 @@ This example shows how to use the [Validate JWT](api-management-access-restricti
737737
| require-scheme | The name of the token scheme, e.g. "Bearer". When this attribute is set, the policy will ensure that specified scheme is present in the Authorization header value. | No | N/A |
738738
| require-signed-tokens | Boolean. Specifies whether a token is required to be signed. | No | true |
739739
| separator | String. Specifies a separator (e.g. ",") to be used for extracting a set of values from a multi-valued claim. | No | N/A |
740-
| url | Open ID configuration endpoint URL from where OpenID configuration metadata can be obtained. The response should be according to specs as defined at URL:`https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata`. For Azure Active Directory use the following URL: `https://login.microsoftonline.com/{tenant-name}/.well-known/openid-configuration` substituting your directory tenant name, e.g. `contoso.onmicrosoft.com`. | Yes | N/A |
740+
| url | Open ID configuration endpoint URL from where OpenID configuration metadata can be obtained. The response should be according to specs as defined at URL: `https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata`. <br/><br/>For Azure Active Directory use the OpenID Connect [metadata endpoint](../active-directory/develop/v2-protocols-oidc.md#find-your-apps-openid-configuration-document-uri) configured in your app registration such as:<br/>- (v2) `https://login.microsoftonline.com/{tenant-name}/v2.0/.well-known/openid-configuration`<br/> - (v2 multitenant) ` https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration`<br/>- (v1) `https://login.microsoftonline.com/{tenant-name}/.well-known/openid-configuration` <br/><br/> substituting your directory tenant name or ID, for example `contoso.onmicrosoft.com`, for `{tenant-name}`. | Yes | N/A |
741741
| output-token-variable-name | String. Name of context variable that will receive token value as an object of type [`Jwt`](api-management-policy-expressions.md) upon successful token validation | No | N/A |
742742

743743
### Usage

0 commit comments

Comments
 (0)