Document how to configure OIDC with Microsoft Entra ID custom keys
What does this MR do and why?
When configuring OpenID Connect with Microsoft Entra ID, one customer had difficulty getting this to work because of the error:
Authentication failure! JSON::JWK::Set::KidNotFound
This occurred because the authorization failed to validate because the
id_token
was signed with a key not listed in the default JWKS URI
provided by the OpenID Connect Discovery endpoint.
https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens#validate-tokens discusses this in more detail:
If the application has custom signing keys as a result of using the claims-mapping feature, append an appid query parameter that contains the application ID. For validation, use jwks_uri that points to the signing key information of the application. For example: https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration?appid=00001111-aaaa-2222-bbbb-3333cccc4444 contains a jwks_uri of https://login.microsoftonline.com/{tenant}/discovery/keys?appid=00001111-aaaa-2222-bbbb-3333cccc4444.
ZD: https://gitlab.zendesk.com/agent/tickets/565675
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.