Hi @JINGYU KIM ,
In the context of Microsoft identity platform, the common endpoint "https://login.microsoftonline.com/common/discovery/v2.0/keys" is used to retrieve the public keys that are globally available for all tenants ("tenant-independent"), while the tenant endpoint "https://login.microsoftonline.com/{tenant_id}/discovery/keys?appid={client_id}" is used to retrieve the public keys that are specific to a particular tenant and application.
https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#validating-tokens
The common endpoint is useful when you want to retrieve keys that are not specific to any particular tenant or application (i.e. in multi-tenant setups), while the tenant endpoint is useful when you want to retrieve keys that are specific to a particular tenant and application. With the common endpoint, the tenant gets determined based on the account details of the user.
The issuer value in the token tells an application which tenant the user is from. When a response returns from the /common
endpoint, the issuer value in the token corresponds to the user’s tenant. A key that is specific to a certain tenant may not exist in the global keys.
The kid
value for keys will match with the identifier for key that that has been used for signing the token you receive.
Additional references:
Let me know if this helps and if you have further questions.
If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar information.