From bde5f6eb47f95a68ee8f1db7329d12b3b3325800 Mon Sep 17 00:00:00 2001
From: Karuna-Mendix <karuna.vengurlekar@mendix.com>
Date: Tue, 7 Oct 2025 17:04:07 +0530
Subject: [PATCH 1/3] Entra ID does not support the `private_key_jwt`

---
 .../docs/marketplace/platform-supported-content/modules/oidc.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/marketplace/platform-supported-content/modules/oidc.md b/content/en/docs/marketplace/platform-supported-content/modules/oidc.md
index 0153e84d291..82bda14f98f 100644
--- a/content/en/docs/marketplace/platform-supported-content/modules/oidc.md
+++ b/content/en/docs/marketplace/platform-supported-content/modules/oidc.md
@@ -334,7 +334,7 @@ In this case, the OIDC client is the app you are making.
     The options are:
     * `client_secret_basic`: Your app will use the HTTP Basic Authentication scheme to authenticate itself at your IdP. This is the default. The `client_secret_basic` makes use of the `client-id` and `client-secret`.
     * `client_secret_post`: Your app will authenticate itself by including its `client_id` and `client_secret` in the payload of token requests. (Older versions of the OIDC SSO module used this method.)
-    * `private_key_jwt`: This method, introduced in version 4.1.0, uses asymmetric key cryptography (algorithm) for authentication. This is the best option for security. When you select the `private key` option, you can configure the following fields:
+    * `private_key_jwt`: This method, introduced in version 4.1.0, uses asymmetric key cryptography (algorithm) for authentication. This is the best option for security. However, Entra ID does not support this method. When you select the `private key` option, you can configure the following fields:
         * **Key Pair Expiration Days**: (default `90`)
         * **JWT ALG(Signing Algorithm)**: (default `RS256`)
  

From 2cfae50c3a70e26a4377225f6d88d9b97dea6451 Mon Sep 17 00:00:00 2001
From: Karuna-Mendix <karuna.vengurlekar@mendix.com>
Date: Tue, 7 Oct 2025 17:37:18 +0530
Subject: [PATCH 2/3] info box

---
 .../marketplace/platform-supported-content/modules/oidc.md    | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/content/en/docs/marketplace/platform-supported-content/modules/oidc.md b/content/en/docs/marketplace/platform-supported-content/modules/oidc.md
index 82bda14f98f..7f90e116989 100644
--- a/content/en/docs/marketplace/platform-supported-content/modules/oidc.md
+++ b/content/en/docs/marketplace/platform-supported-content/modules/oidc.md
@@ -334,9 +334,11 @@ In this case, the OIDC client is the app you are making.
     The options are:
     * `client_secret_basic`: Your app will use the HTTP Basic Authentication scheme to authenticate itself at your IdP. This is the default. The `client_secret_basic` makes use of the `client-id` and `client-secret`.
     * `client_secret_post`: Your app will authenticate itself by including its `client_id` and `client_secret` in the payload of token requests. (Older versions of the OIDC SSO module used this method.)
-    * `private_key_jwt`: This method, introduced in version 4.1.0, uses asymmetric key cryptography (algorithm) for authentication. This is the best option for security. However, Entra ID does not support this method. When you select the `private key` option, you can configure the following fields:
+    * `private_key_jwt`: This method, introduced in version 4.1.0, uses asymmetric key cryptography (algorithm) for authentication. This is the best option for security. When you select the `private key` option, you can configure the following fields:
         * **Key Pair Expiration Days**: (default `90`)
         * **JWT ALG(Signing Algorithm)**: (default `RS256`)
+
+        {{% alert color="info" %}}`private_key_jwt` is not yet supported with Entra ID due to the specific way of Microsoft's implementation which requires enhancements to the OIDC SSO module.{{% /alert %}}
  
     Once you **Save** the configuration, a key pair is automatically generated. Before you set up the private key authentication in your Mendix App, complete the JWKS configuration at your IdP. Check the documentation of your IdP for details. If you are using Okta, you can refer to the [Configuring JWKS at Your IdP (Okta)](#jwks-okta) section. 
 

From 8346ec086082341c988e3fd4c2cd5fec09ddb0da Mon Sep 17 00:00:00 2001
From: Karuna-Mendix <karuna.vengurlekar@mendix.com>
Date: Tue, 7 Oct 2025 17:40:30 +0530
Subject: [PATCH 3/3] small fix

---
 .../docs/marketplace/platform-supported-content/modules/oidc.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/marketplace/platform-supported-content/modules/oidc.md b/content/en/docs/marketplace/platform-supported-content/modules/oidc.md
index 7f90e116989..a1c7eba0101 100644
--- a/content/en/docs/marketplace/platform-supported-content/modules/oidc.md
+++ b/content/en/docs/marketplace/platform-supported-content/modules/oidc.md
@@ -338,7 +338,7 @@ In this case, the OIDC client is the app you are making.
         * **Key Pair Expiration Days**: (default `90`)
         * **JWT ALG(Signing Algorithm)**: (default `RS256`)
 
-        {{% alert color="info" %}}`private_key_jwt` is not yet supported with Entra ID due to the specific way of Microsoft's implementation which requires enhancements to the OIDC SSO module.{{% /alert %}}
+        {{% alert color="info" %}}`private_key_jwt` is not yet supported with Entra ID due to the specific way of Microsoft's implementation, which requires enhancements to the OIDC SSO module.{{% /alert %}}
  
     Once you **Save** the configuration, a key pair is automatically generated. Before you set up the private key authentication in your Mendix App, complete the JWKS configuration at your IdP. Check the documentation of your IdP for details. If you are using Okta, you can refer to the [Configuring JWKS at Your IdP (Okta)](#jwks-okta) section.