Fix: Improve Azure AD Key Manager documentation [master]

[wso2-engineering-bot]

This PR was automatically generated by Claude AI.

• Issue: Improvements to Configure the Azure AD as a Key Manager doc #10460
• Type: Suggestions
• Summary: Added details for Scope Management Endpoint and instructions for obtaining iss from JWT tokens in Azure AD Key Manager configuration documentation.

Changes made:

1. Added example endpoint for Scope Management Endpoint: https://<host>:9443/oauth2/scope
2. Added instructions to decode JWT token to obtain the iss claim when troubleshooting Invalid Credentials Error, including reference to jwt.io as a decoding tool

• Style Scope Verification: Microsoft Style Guidelines have been applied ONLY to newly added content without modifying existing content style unless specifically requested.
• Verification: mkdocs build passed successfully

Summary by CodeRabbit

• Documentation
  • Updated Azure AD Key Manager configuration guide with a concrete Scope Management Endpoint example URL.
  • Enhanced issuer verification troubleshooting instructions with clearer guidance for decoding and validating token claims.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Documentation updates to the Azure AD Key Manager configuration guide: a concrete example URL is added to the Scope Management Endpoint table cell, and the troubleshooting section is revised to guide users toward JWT decoding via jwt.io for issuer verification instead of direct instruction.

Changes

Cohort / File(s)	Summary
Azure AD Key Manager Documentation en/docs/administer/key-managers/configure-azure-ad-key-manager.md	Added concrete example URL to Scope Management Endpoint table cell; updated troubleshooting/issuer verification guidance to reference JWT decoding via jwt.io for retrieving the iss claim value

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

• Verify accuracy of example URL and jwt.io guidance
• Confirm troubleshooting instructions are clear and actionable

Poem

🐰 A doc so fine, with clarity bright,
JWT decoding, made simple right,
Azure's secrets now plainly unfold,
Configuration wisdom, worth more than gold! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description provides essential context but omits most required sections from the template, including Goals, Approach, User stories, Release notes, Training, Certification, Marketing, Tests, Security checks, Samples, and Test environment.	Complete the description by filling in all required sections from the template, especially Goals, Approach, Release notes, Test environment, and Security checks sections.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main change: improving Azure AD Key Manager documentation with concrete examples and troubleshooting guidance.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fixing-issue-10460-master-1766038630

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e7039e3 and bacc5e2.

📒 Files selected for processing (1)

• en/docs/administer/key-managers/configure-azure-ad-key-manager.md (2 hunks)

🔇 Additional comments (1)

en/docs/administer/key-managers/configure-azure-ad-key-manager.md (1)

155-155: Example URL enhances clarity for Scope Management Endpoint configuration.

The concrete example URL follows the established documentation pattern and provides helpful guidance for users configuring this endpoint. The HTML entity encoding is consistent with other examples in the table.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Check if file exists and read line 217 with context
if [ -f "en/docs/administer/key-managers/configure-azure-ad-key-manager.md" ]; then
  echo "File found. Reading lines 210-220..."
  sed -n '210,220p' "en/docs/administer/key-managers/configure-azure-ad-key-manager.md" | cat -n
else
  echo "File not found at expected path. Searching..."
  find . -name "configure-azure-ad-key-manager.md" 2>/dev/null
fi

Repository: wso2/docs-apim

Length of output: 912

---

Add security caveat when recommending public JWT decoders.

The current guidance recommends jwt.io without warning users about the risks of pasting production tokens containing sensitive claims. For administrators troubleshooting "Invalid Credentials" errors, this creates a risk of exposing secrets or personally identifiable information to a public service.

Recommend offline tools (command-line JWT decoders, IDE extensions, browser developer tools) as the preferred approach, and add an explicit warning against pasting production or sensitive tokens to public online services.

-    Please verify that the `iss` (issuer) claim in the token matches the issuer configured in the Key Manager Endpoints section. To obtain the `iss` value from the token, decode the JWT token (you can use tools like [jwt.io](https://jwt.io) or similar JWT decoder) and check the `iss` claim in the payload. If there is a difference, update the issuer in the Key Manager Endpoints section to align with the `iss` value present in the token.
+    Please verify that the `iss` (issuer) claim in the token matches the issuer configured in the Key Manager Endpoints section. To obtain the `iss` value from the token, decode the JWT token using an offline decoder or local tool (such as command-line utilities, IDE extensions, or browser developer tools) and check the `iss` claim in the payload. **Do not paste production or sensitive tokens into public online decoders like jwt.io**, as this may expose sensitive information. If there is a difference between the `iss` value and your configured issuer, update the issuer in the Key Manager Endpoints section accordingly.

🤖 Prompt for AI Agents

In en/docs/administer/key-managers/configure-azure-ad-key-manager.md around line
217, the guidance currently recommends using jwt.io without warning about
security risks of pasting production tokens; update this paragraph to: add a
clear warning not to paste production or sensitive tokens into public online JWT
decoders, recommend offline alternatives (e.g., CLI tools like
jwt-cli/jq/OpenSSL, IDE extensions, or browser devtools) as the preferred
methods for decoding tokens, and optionally note that if an online tool must be
used, strip or redact sensitive claims before pasting and use a non-production
token.