Inquire about the difference between "https://login.microsoftonline.com/common/discovery/v2.0/keys" and "https://login.microsoftonline.com/{tenant_id}/discovery/keys?appid={client_id}"

JINGYU KIM 0 Reputation points
2023-05-12T08:32:26.9566667+00:00

I have an inquiry about the difference between "https://login.microsoftonline.com/common/discovery/v2.0/keys" and "https://login.microsoftonline.com/{tenant_id}/discovery/keys?appid={client_id}".

  1. Can we guarantee that the kid present in "https://login.microsoftonline.com/{tenant_id}/discovery/keys?appid={client_id}" always exists in "https://login.microsoftonline.com/common/discovery/v2.0/keys" as well?
  2. What is the difference between "https://login.microsoftonline.com/{tenant_id}/discovery/keys?appid={client_id}" and "https://login.microsoftonline.com/common/discovery/v2.0/keys" purposes?
  3. The key should not be retrieved directly from the above endpoint, and is it necessary to check the endpoint again in "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration" or "https://login.microsoftonline.com/{tenant_id}/v2.0/.well-known/openid-configuration"?

Thanks in advance.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,146 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 35,621 Reputation points Microsoft Employee
    2023-05-12T22:28:42.5466667+00:00

    Hi @JINGYU KIM ,

    In the context of Microsoft identity platform, the common endpoint "https://login.microsoftonline.com/common/discovery/v2.0/keys" is used to retrieve the public keys that are globally available for all tenants ("tenant-independent"), while the tenant endpoint "https://login.microsoftonline.com/{tenant_id}/discovery/keys?appid={client_id}" is used to retrieve the public keys that are specific to a particular tenant and application.

    https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#validating-tokens

    The common endpoint is useful when you want to retrieve keys that are not specific to any particular tenant or application (i.e. in multi-tenant setups), while the tenant endpoint is useful when you want to retrieve keys that are specific to a particular tenant and application. With the common endpoint, the tenant gets determined based on the account details of the user.

    The issuer value in the token tells an application which tenant the user is from. When a response returns from the /common endpoint, the issuer value in the token corresponds to the user’s tenant. A key that is specific to a certain tenant may not exist in the global keys.

    The kid value for keys will match with the identifier for key that that has been used for signing the token you receive.

    Additional references:

    Common endpoint

    Azure AD Endpoints

    Let me know if this helps and if you have further questions.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar information.

    0 comments No comments