Demo fails with "Unable to fetch public keys"

[EionRobb]

Running the demo to call a token issuance is failing with "Unable to fetch public keys".

It looks like JwtValidator.resolvePublicKeyJwks() is connecting to https://discover.did.msidentity.com/v1.0/identifiers/did:web:verifiedid.entra.microsoft.com:07b12f07-657f-4ebe-ac84-cee558d49c71:ef3b2d34-d94d-1c95-71d9-66a073b46237 to download the public keys but the endpoint doesn't accept discovery using that, it returns "discovery_service.web_method_path_not_supported"

The demo JWT issued from the Entra issue API that's failing is

eyJhbGciOiJFUzI1NiIsImtpZCI6ImRpZDp3ZWI6dmVyaWZpZWRpZC5lbnRyYS5taWNyb3NvZnQuY29tOjA3YjEyZjA3LTY1N2YtNGViZS1hYzg0LWNlZTU1OGQ0OWM3MTplZjNiMmQzNC1kOTRkLTFjOTUtNzFkOS02NmEwNzNiNDYyMzcjYWM1NzhiNjRhMzNiNDI1NTk5YmQ2MTZhNDJlZTM4MzBtYW5hZ2Vkc2lncDI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiI5YmQ3MDAzYy02MzdmLTRmYzgtYWY4ZC04YmFkMDA5ZDRiNGYiLCJpYXQiOjE3MTkxOTQ0NjgsInJlc3BvbnNlX3R5cGUiOiJpZF90b2tlbiIsInJlc3BvbnNlX21vZGUiOiJwb3N0Iiwic2NvcGUiOiJvcGVuaWQiLCJub25jZSI6IlhnSFh6MXpmOWVva293T2l2Wkd6K1E9PSIsImNsaWVudF9pZCI6ImRpZDp3ZWI6dmVyaWZpZWRpZC5lbnRyYS5taWNyb3NvZnQuY29tOjA3YjEyZjA3LTY1N2YtNGViZS1hYzg0LWNlZTU1OGQ0OWM3MTplZjNiMmQzNC1kOTRkLTFjOTUtNzFkOS02NmEwNzNiNDYyMzciLCJyZWRpcmVjdF91cmkiOiJodHRwczovL3ZlcmlmaWVkaWQuZGlkLm1zaWRlbnRpdHkuY29tL3YxLjAvdGVuYW50cy8wN2IxMmYwNy02NTdmLTRlYmUtYWM4NC1jZWU1NThkNDljNzEvdmVyaWZpYWJsZUNyZWRlbnRpYWxzL2NvbXBsZXRlSXNzdWFuY2UiLCJwcm9tcHQiOiJjcmVhdGUiLCJzdGF0ZSI6ImRqTytkOC85MDM5WTJhOEZxZjVxMkFoM2Z2MEVzSlNyNUo5T29NRWt0cHlLYXkvWUtXeWJuR0JRMENDRVErd2R5SzEyZ01xSFFGdEpOY1JyYkJCZTlhRFhPcFpMaHY0eWkvNXVDUDlLTnpmUnRSZkcrbjk0NGlXdUxhdlRUdzlVYXZtbGVhenBXbXlwQit6bXBvMGNScjEwUmczV1A5ak9EeGtKTnhQbFlhT0ErdGNGcWFnQzhaK3VrWlU4c29JY1VBNW4zUjBFSWQ2ZHNWWUZRYnFsMDBnaGFqdkhUTGhkdXFpN29iOS8zNnFFM1RPZ1B1YUpJQXFpN0NObUdhYmF2QXRQQjhVZ05HTDVpcUVoaDBLU2Z1d1orQTB2STN4RG1tNmNndXoyN0ZTYUdFQU81bVcrMDBCVk9nTHFmWUZLSDFRRXhYcENYT01MMW1Hd1BZYm9nbFZIZmRyU3RJSzBaREo4N0pWWVVrSGZRSGIzWndxKy9WZlhmTTdwWHZBNXNSNW1lWUxvdlhZdHNDMDRIejNuVkMreFREdVJpeDZ6ckl1Nzk4UkpWcUgyNHdPQ1J2bzgwOTBtNllQeTljS09wYXFjVTZmWXNKQnhJVXV0ekZJSk1BMUdFUT09IiwiZXhwIjoxNzE5MTk0NzY4LCJyZWdpc3RyYXRpb24iOnsiY2xpZW50X25hbWUiOiJOQ2FwIFJhbmRvbWl6ZXIiLCJzdWJqZWN0X3N5bnRheF90eXBlc19zdXBwb3J0ZWQiOlsiZGlkOmlvbiJdLCJ2cF9mb3JtYXRzIjp7Imp3dF92cCI6eyJhbGciOlsiRVMyNTZLIl19LCJqd3RfdmMiOnsiYWxnIjpbIkVTMjU2SyJdfX0sImNsaWVudF9wdXJwb3NlIjoiUmFuZG9tbHkgY3JlYXRlcyBOQ2FwIHNjb3JlcyJ9LCJjbGFpbXMiOnsidnBfdG9rZW4iOnsicHJlc2VudGF0aW9uX2RlZmluaXRpb24iOnsiaWQiOiJkZmRlNjQzYy0yMDg5LTQ4NWQtOGRlZi03YmE5MmRiYWZiOTgiLCJpbnB1dF9kZXNjcmlwdG9ycyI6W3siaWQiOiJOQ2FwU2NvcmUiLCJzY2hlbWEiOlt7InVyaSI6Ik5DYXBTY29yZSJ9XSwiaXNzdWFuY2UiOlt7Im1hbmlmZXN0IjoiaHR0cHM6Ly92ZXJpZmllZGlkLmRpZC5tc2lkZW50aXR5LmNvbS92MS4wL3RlbmFudHMvMDdiMTJmMDctNjU3Zi00ZWJlLWFjODQtY2VlNTU4ZDQ5YzcxL3ZlcmlmaWFibGVDcmVkZW50aWFscy9jb250cmFjdHMvYTk4NmMzYTYtOGRlYS1jNTc4LTQyMjEtOTUyYWFjYTVkNzQxL21hbmlmZXN0In1dfV19fX0sImlkX3Rva2VuX2hpbnQiOiJleUpoYkdjaU9pSkZVekkxTmlJc0ltdHBaQ0k2SW1ScFpEcDNaV0k2ZG1WeWFXWnBaV1JwWkM1bGJuUnlZUzV0YVdOeWIzTnZablF1WTI5dE9qQTNZakV5WmpBM0xUWTFOMll0TkdWaVpTMWhZemcwTFdObFpUVTFPR1EwT1dNM01UcGxaak5pTW1Rek5DMWtPVFJrTFRGak9UVXROekZrT1MwMk5tRXdOek5pTkRZeU16Y2pZV00xTnpoaU5qUmhNek5pTkRJMU5UazVZbVEyTVRaaE5ESmxaVE00TXpCdFlXNWhaMlZrYzJsbmNESTFOaUlzSW5SNWNDSTZJa3BYVkNKOS5leUp6ZFdJaU9pSjNUakpIWm1WcWNXbHNaVmRpVGxOMmJHSnRTM1pzV1dKVlgxWXhhMDl6Ulc5amRXaHVkMHBKUm5rd0lpd2lZWFZrSWpvaWFIUjBjSE02THk5aVpYUmhMbVJwWkM1dGMybGtaVzUwYVhSNUxtTnZiUzkyTVM0d0wzUmxibUZ1ZEhNdk1EZGlNVEptTURjdE5qVTNaaTAwWldKbExXRmpPRFF0WTJWbE5UVTRaRFE1WXpjeEwzWmxjbWxtYVdGaWJHVkRjbVZrWlc1MGFXRnNjeTlwYzNOMVpTSXNJbTV2Ym1ObElqb2lWelk0WWxWSk4xWkJORXBHTlZwa05rcHVRbU5hUVQwOUlpd2ljM1ZpWDJwM2F5STZleUpqY25ZaU9pSlFMVEkxTmlJc0ltdHBaQ0k2SW1ScFpEcDNaV0k2ZG1WeWFXWnBaV1JwWkM1bGJuUnlZUzV0YVdOeWIzTnZablF1WTI5dE9qQTNZakV5WmpBM0xUWTFOMll0TkdWaVpTMWhZemcwTFdObFpUVTFPR1EwT1dNM01UcGxaak5pTW1Rek5DMWtPVFJrTFRGak9UVXROekZrT1MwMk5tRXdOek5pTkRZeU16Y2pZV00xTnpoaU5qUmhNek5pTkRJMU5UazVZbVEyTVRaaE5ESmxaVE00TXpCdFlXNWhaMlZrYzJsbmNESTFOaUlzSW10MGVTSTZJa1ZESWl3aWVDSTZJbUU1ZW1KVGVIUnVRbm81UWxOWWIzaE1jMEZLY1haV2JtaEdkMjAzYkd0MlVIVlNaWEZaU1daalIwRWlMQ0o1SWpvaVZFZDFkbWt0UmsxU1dXVnBSMFJpUzA1c01sb3RSRkozUjJacmJtRjRjbHA1Y25Kc2JUUnhabVpmYXlKOUxDSmthV1FpT2lKa2FXUTZkMlZpT25abGNtbG1hV1ZrYVdRdVpXNTBjbUV1YldsamNtOXpiMlowTG1OdmJUb3dOMkl4TW1Zd055MDJOVGRtTFRSbFltVXRZV000TkMxalpXVTFOVGhrTkRsak56RTZaV1l6WWpKa016UXRaRGswWkMweFl6azFMVGN4WkRrdE5qWmhNRGN6WWpRMk1qTTNJaXdpY0dWeWFXOWtYM04wWVhKMFgyUmhkR1VpT2lJeU1ESTBMVEF5SWl3aWNHVnlhVzlrWDJWdVpGOWtZWFJsSWpvaU1qQXlNeTB3TkNJc0ltNWpZWEJmYzJOdmNtVWlPaUl6TmlJc0ltbHpjeUk2SW1oMGRIQnpPaTh2YzJWc1ppMXBjM04xWldRdWJXVWlMQ0pwWVhRaU9qRTNNVGt4T1RRME5qZ3NJbXAwYVNJNklqbGlaRGN3TUROakxUWXpOMll0Tkdaak9DMWhaamhrTFRoaVlXUXdNRGxrTkdJMFppSXNJbVY0Y0NJNk1UY3hPVEU1TkRjMk9IMC5YdkJGbHRRdnI5RmpLZGNqQzB2YktkS0w4b0RoTVpBcXFLdFFQMTlBNHIxZUNralR1SEpwMlVYTHNnbThxZENTZ09oMmVici1jVWdURWg1bVlLRzlUUSJ9.iyr2AqSBuK0TNGQ7AtzPnTxyXtt-dDoZT6ZZLY4GFAxrKURdtRrP088DO83hW0IRES0xFXBJDWpmCWEDIKAwmw

Edit: just wanted to add that the same JWT/url works ok with Microsoft Authenticator

[EionRobb]

I checked to see what URL the MS Authenticator app uses for verification to see if it just needed the resolverUrl updated, and it looks up the same URL, but the endpoint doesn't respond if the user agent header is not User-Agent: Microsoft-Authenticator/6.2406.4052

Are we expected to host a version of https://discover.did.msidentity.com/v1.0/identifiers/ in order for did:web lookups to work correctly with the wallet library?