Why does the Azure AD OpenID Connect metadata document v2 endpoint now require 'jwks_extensions' when using the 'client_id' query param?

Jonathan Rigsby 0 Reputation points
2023-07-27T15:30:55.95+00:00

We have an application that uses Azure Active Directory to authenticate our users. We have been using the Azure AD OpenID Connect metadata document v2 endpoint with the client_id query param (ex., https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration?client_id={client_id}) for months now. Suddenly, last week, GET calls to that URL started failing because that endpoint expects a jwks_extensions parameter when using the client_id query param. I cannot find any documentation or change notice about this or any documentation on the jwks_extensions parameter.

Using the appid query param instead of client_id seems to provide the same functionality that client_id use to but again, I can find no documentation of this change. Nothing listed in these breaking changes seems to be related. I have not been able to find references elsewhere. https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-breaking-changes

{tenant} is a placeholder for our Azure tenant ID. {client_id} is a placeholder for the Application/Client ID of application registered in Azure.

Original v2 URL: https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration?client_id={client_id}

New v2 URL: https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration?appid={client_id}

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,568 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,577 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 25,296 Reputation points Microsoft Employee
    2023-07-28T08:06:47.86+00:00

    Hi @Jonathan Rigsby ,

    Thanks for reaching out.

    I'm sorry to hear that you are facing issues with the OpenId connect metadata endpoint https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration?client_id={client_id})

    AFAIK, client_id is not officially documented anywhere to use to query metadata endpoint. Could you please confirm why you are using client_id query param at first place.

    We can still query metadata endpoint with clientid, appid or app_id , but officially we only support appid as mentioned https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#validate-the-signature

    As other query param are not officially supported or documented, that can be obsolete at any time without notice.

    Hope this answered your query.

    Thanks,

    Shweta


    Please remember to "Accept Answer" if answer helped you.