[BUG] OIDC/Azure - Unable to fetch Azure App-Specific Signing Keys

[dbnsky]

Describe the bug
The application crashes with a 500 Internal Server Error when configured with OIDC Authentication with Azure Active Directory as a Single-Tenant Application in Azure AD.

The application fails to verify the Azure id_token signature because the signing key (kid) is missing from the local KeyJar. This occurs because Azure signs the token with a specific key that is only exposed on the App-Specific JWKS endpoint, but the application's auto-discovery only queries the generic tenant endpoint.

Source:

• https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens
• https://learn.microsoft.com/en-us/entra/identity-platform/howto-convert-app-to-be-multi-tenant

To Reproduce
Steps to reproduce the behavior:

1. Configuration: Configure the application as a Single-Tenant App
2. User Action: Go to the login page and authenticate using a user account that triggers Azure's consumer signing flow
3. Observation: The login fails after redirect.
4. See error: 500 Internal Server Error caused by jwkest.jws.NoSuitableSigningKeys.

Expected behavior
The application should successfully validate the token signature for all valid users with Single-Tenant apps and Multitenant applications.

Screenshots

Traceback (most recent call last):
  File "/opt/venv/lib/python3.9/site-packages/oic/oic/message.py", line 312, in verify_id_token
    idt = IdToken().from_jwt(_jws, **args)
  File "/opt/venv/lib/python3.9/site-packages/jwkest/jws.py", line 564, in verify_compact_verbose
    raise NoSuitableSigningKeys(
jwkest.jws.NoSuitableSigningKeys: No key with kid: xxx-XXXXXXXXX

Additional context

• The Azure Tenant issues V2 tokens signed by a key that is not present in the standard discovery/v2.0/keys document. It is only found at: https://login.microsoftonline.com/TenantID/discovery/v2.0/keys?appid={AppId}
• Resolution suggested:

1. Updated app/config.py to load OIDC_JWKS_URI.
2. Updated oidc_handler.py to prioritize manual JWKS URI.