Skip to content

Fix: Improve Azure AD Key Manager documentation [master] #10467

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wso2-engineering-bot wants to merge 1 commit into from
Closed

Fix: Improve Azure AD Key Manager documentation [master] #10467

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions en/docs/administer/key-managers/configure-azure-ad-key-manager.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@ Start the API Manager server and log-in to the Admin portal to configure Azure A
</tr>
<tr class="even">
<td>Scope Management Endpoint </td>
<td>The endpoint is used to manage the scopes.</td>
<td>The endpoint is used to manage the scopes. <br/><b>Example:</b><br/> https://&lt;host&gt;:9443/oauth2/scope</td>
<td>Mandatory</td>
</tr>
</tbody>
Expand Down Expand Up @@ -214,7 +214,7 @@ Start the API Manager server and log-in to the Admin portal to configure Azure A
"description": "Access failure for API: /exampleapi/1.0.0, version: 1.0.0 status: (900901) - Invalid Credentials. Make sure you have provided the correct security credentials."
}
```
Please verify that the `iss` (issuer) claim in the token matches the issuer configured in the Key Manager Endpoints section. If there is a difference, update the issuer in the Key Manager Endpoints section to align with the `iss` value present in the token.
Please verify that the `iss` (issuer) claim in the token matches the issuer configured in the Key Manager Endpoints section. To obtain the `iss` value from the token, decode the JWT token (you can use tools like [jwt.io](https://jwt.io) or similar JWT decoder) and check the `iss` claim in the payload. If there is a difference, update the issuer in the Key Manager Endpoints section to align with the `iss` value present in the token.
Copy link

@coderabbitai coderabbitai bot Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Check if file exists and read line 217 with context
if [ -f "en/docs/administer/key-managers/configure-azure-ad-key-manager.md" ]; then
  echo "File found. Reading lines 210-220..."
  sed -n '210,220p' "en/docs/administer/key-managers/configure-azure-ad-key-manager.md" | cat -n
else
  echo "File not found at expected path. Searching..."
  find . -name "configure-azure-ad-key-manager.md" 2>/dev/null
fi

Repository: wso2/docs-apim

Length of output: 912

Add security caveat when recommending public JWT decoders.

The current guidance recommends jwt.io without warning users about the risks of pasting production tokens containing sensitive claims. For administrators troubleshooting "Invalid Credentials" errors, this creates a risk of exposing secrets or personally identifiable information to a public service.

Recommend offline tools (command-line JWT decoders, IDE extensions, browser developer tools) as the preferred approach, and add an explicit warning against pasting production or sensitive tokens to public online services.

-    Please verify that the `iss` (issuer) claim in the token matches the issuer configured in the Key Manager Endpoints section. To obtain the `iss` value from the token, decode the JWT token (you can use tools like [jwt.io](https://jwt.io) or similar JWT decoder) and check the `iss` claim in the payload. If there is a difference, update the issuer in the Key Manager Endpoints section to align with the `iss` value present in the token.
+    Please verify that the `iss` (issuer) claim in the token matches the issuer configured in the Key Manager Endpoints section. To obtain the `iss` value from the token, decode the JWT token using an offline decoder or local tool (such as command-line utilities, IDE extensions, or browser developer tools) and check the `iss` claim in the payload. **Do not paste production or sensitive tokens into public online decoders like jwt.io**, as this may expose sensitive information. If there is a difference between the `iss` value and your configured issuer, update the issuer in the Key Manager Endpoints section accordingly.
🤖 Prompt for AI Agents 
In en/docs/administer/key-managers/configure-azure-ad-key-manager.md around line
217, the guidance currently recommends using jwt.io without warning about
security risks of pasting production tokens; update this paragraph to: add a
clear warning not to paste production or sensitive tokens into public online JWT
decoders, recommend offline alternatives (e.g., CLI tools like
jwt-cli/jq/OpenSSL, IDE extensions, or browser devtools) as the preferred
methods for decoding tokens, and optionally note that if an online tool must be
used, strip or redact sensitive claims before pasting and use a non-production
token.

Copy link
Member

@tharikaGitHub tharikaGitHub Jan 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's not mention the use of JWT.io


### Post checks

Expand Down