Use custom domain for JWT token issuer and audience instead of hardcoded value

tjementum · tjementum · commit c4b8219a2b94 · 2026-04-02T20:44:27.000+02:00
diff --git a/cloud-infrastructure/cluster/main-cluster.bicep b/cloud-infrastructure/cluster/main-cluster.bicep
@@ -104,6 +104,7 @@ module keyVault '../modules/key-vault.bicep' = {
     subnetId: virtualNetwork.outputs.containerAppsSubnetId
     storageAccountId: diagnosticStorageAccount.outputs.storageAccountId
     workspaceId: existingLogAnalyticsWorkspace.id
+    domainName: domainName
   }
 }
 
diff --git a/cloud-infrastructure/modules/key-vault.bicep b/cloud-infrastructure/modules/key-vault.bicep
@@ -5,6 +5,7 @@ param tenantId string
 param subnetId string
 param storageAccountId string
 param workspaceId string
+param domainName string = ''
 
 resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' = {
   name: name
@@ -119,19 +120,21 @@ resource authenticationTokenSigningKey 'Microsoft.KeyVault/vaults/keys@2023-07-0
   }
 }
 
+var tokenIssuerAndAudience = domainName != '' ? 'https://${domainName}' : 'PlatformPlatform'
+
 resource authenticationTokenIssuer 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {
   parent: keyVault
   name: 'authentication-token-issuer'
   properties: {
-    value: 'PlatformPlatform' // Consider using the domain name (https://app.your-company.net) or company name (Your Company) as the issuer
+    value: tokenIssuerAndAudience
   }
 }
 
 resource authenticationTokenAudience 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {
   parent: keyVault
   name: 'authentication-token-audience'
   properties: {
-    value: 'PlatformPlatform' // Consider using the domain name (https://product.your-company.net) or product name (product-name) as the audience
+    value: tokenIssuerAndAudience
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -104,6 +104,7 @@ module keyVault '../modules/key-vault.bicep' = {`
`104`	`104`	`subnetId: virtualNetwork.outputs.containerAppsSubnetId`
`105`	`105`	`storageAccountId: diagnosticStorageAccount.outputs.storageAccountId`
`106`	`106`	`workspaceId: existingLogAnalyticsWorkspace.id`
	`107`	`+ domainName: domainName`
`107`	`108`	`}`
`108`	`109`	`}`
`109`	`110`
Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@ param tenantId string`
`5`	`5`	`param subnetId string`
`6`	`6`	`param storageAccountId string`
`7`	`7`	`param workspaceId string`
	`8`	`+param domainName string = ''`
`8`	`9`
`9`	`10`	`resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' = {`
`10`	`11`	`name: name`
`@@ -119,19 +120,21 @@ resource authenticationTokenSigningKey 'Microsoft.KeyVault/vaults/keys@2023-07-0`
`119`	`120`	`}`
`120`	`121`	`}`
`121`	`122`
	`123`	`+var tokenIssuerAndAudience = domainName != '' ? 'https://${domainName}' : 'PlatformPlatform'`
	`124`	`+`
`122`	`125`	`resource authenticationTokenIssuer 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {`
`123`	`126`	`parent: keyVault`
`124`	`127`	`name: 'authentication-token-issuer'`
`125`	`128`	`properties: {`
`126`		`- value: 'PlatformPlatform' // Consider using the domain name (https://app.your-company.net) or company name (Your Company) as the issuer`
	`129`	`+ value: tokenIssuerAndAudience`
`127`	`130`	`}`
`128`	`131`	`}`
`129`	`132`
`130`	`133`	`resource authenticationTokenAudience 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {`
`131`	`134`	`parent: keyVault`
`132`	`135`	`name: 'authentication-token-audience'`
`133`	`136`	`properties: {`
`134`		`- value: 'PlatformPlatform' // Consider using the domain name (https://product.your-company.net) or product name (product-name) as the audience`
	`137`	`+ value: tokenIssuerAndAudience`
`135`	`138`	`}`
`136`	`139`	`}`
`137`	`140`