@anujrana123@merill@JefTek@azuread @wiele Yes, that is precisely my concern. If the application team discovers one of the available keys (KID) in a compatible format, can they employ it to verify the token? What if Azure has signed that token using a different KID? Will it result in failure?
@merill@JefTek@azuread @wiele Is it possible to control KID value format ? Ex : Oracle needs it in Alpha numeric without special characters and suggested to use other KID value from JWK url. What if none of the KID are without special characters. Any recommendations ?
@wiele @merill@JefTek@azuread Thanks but i noticed such issues with SAAS applications which aren’t willing to make changes into their logic to validate token. So main question is - can they use any of the KID values available for keys pairs for validation l. I understand key pairs also changes periodically.