Merge branch 'patch-298' of https://github.com/dlepow/azure-docs-pr into patch-298

dlepow · dlepow · commit c57561de3e56 · 2024-06-25T14:59:07.000-07:00
diff --git a/articles/api-management/validate-azure-ad-token-policy.md b/articles/api-management/validate-azure-ad-token-policy.md
@@ -6,7 +6,7 @@ author: dlepow
 
 ms.service: api-management
 ms.topic: article
-ms.date: 03/18/2024
+ms.date: 06/24/2024
 ms.author: danlep
 ---
 
@@ -52,6 +52,10 @@ The `validate-azure-ad-token` policy enforces the existence and validity of a JS
         </claim>
         <!-- if there are multiple possible allowed values, then add additional value elements -->
     </required-claims>
+    <decryption-keys>
+        <key>Base64 encoded signing key | certificate-id="mycertificate"</key>
+        <!-- if there are multiple keys, then add additional key elements -->
+    </decryption-keys>
 </validate-azure-ad-token>
 ```
 
@@ -75,6 +79,7 @@ The `validate-azure-ad-token` policy enforces the existence and validity of a JS
 | backend-application-ids | Contains a list of acceptable backend application IDs.  This is only required in advanced cases for the configuration of options and can generally be removed. Policy expressions aren't allowed. | No |
 | client-application-ids | Contains a list of acceptable client application IDs. If multiple `application-id` elements are present, then each value is tried until either all are exhausted (in which case validation fails) or until one succeeds. If a client application ID isn't provided, one or more `audience` claims should be specified. Policy expressions aren't allowed. | No |
 | required-claims     | Contains a list of `claim` elements for claim values expected to be present on the token for it to be considered valid. When the `match` attribute is set to `all`, every claim value in the policy must be present in the token for validation to succeed. When the `match` attribute is set to `any`, at least one claim must be present in the token for validation to succeed. Policy expressions are allowed. | No       |
+| decryption-keys     | A list of Base64-encoded keys, in [`key`](#key-attributes) subelements, used to decrypt the tokens. If multiple security keys are present, then each key is tried until either all keys are exhausted (in which case validation fails) or a key succeeds.<br/><br/>To decrypt a token encrypted with an asymmetric key, optionally specify the public key using a `certificate-id` attribute with value the identifier of a certificate uploaded to API Management.         | No       |
 
 ### claim attributes
 
@@ -84,6 +89,11 @@ The `validate-azure-ad-token` policy enforces the existence and validity of a JS
 | match                           | The `match` attribute on the `claim` element specifies whether every claim value in the policy must be present in the token for validation to succeed. Possible values are:<br /><br /> - `all` - every claim value in the policy must be present in the token for validation to succeed.<br /><br /> - `any` - at least one claim value must be present in the token for validation to succeed.<br/><br/>Policy expressions are allowed.                                                     | No                                                                               | all                                                                               |
 | separator                       | String. Specifies a separator (for example, ",") to be used for extracting a set of values from a multi-valued claim. Policy expressions are allowed.                                                                                                                                                                                                                                                                                                                                         | No                                                                               | N/A                                                                               |
 
+### key attributes
+| Attribute                            | Description                                                                                                                                                                                                                                                                                                                                                                                                                                            | Required                                                                         | Default                                                                           |
+| ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- |
+| certificate-id  | Identifier of a certificate entity [uploaded](/rest/api/apimanagement/apimanagementrest/azure-api-management-rest-api-certificate-entity#Add) to API Management, used to specify the public key to verify a token signed with an asymmetric key.   | No | N/A |
+
 ## Usage
 
 - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound
