I have an Azure Web App (Angular SPA using MSAL) registered in my AAD and set to multi-tenanted access. It accesses an Azure Web API. It was working fine in this configuration and users could sign in with their own organization's identity.
We put the Web API into Azure API Management (APIM) and set up incoming requests for jwt validation.
<openid-config url="https://login.microsoftonline.com/my-domain-name/.well-known/openid-configuration" />
This works fine for users in my own AD, but not for users from their own AD. So I switched the configuration to what the endpoints look like in our App Registration:
<openid-config url="https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration" />
Now nothing works, and I get the error:
{"message":"JWT Validation Failed: IDX10205: Issuer validation failed. Issuer: 'https://sts.windows.net/users-tenant-id-here/'. Did not match: validationParameters.ValidIssuer: '' or validationParameters.ValidIssuers: 'https://login.microsoftonline.com/{tenantid}/v2.0'.."}}
I can fix the problem by adding for the user's tenant id, but I don't want to do that every time a new customer signs up.
Is there a wildcard setting for the valid issuers list, or a way to pass issuer validation altogether? Or is there some setting on the client side that would fix the problem? Without it I don't see how APIM is usable for a multi-tenanted app.
