Policy inside aad-cc.bicep seems not correct

[SLdragon]

Thanks for this amazing project to help me understand how authentication works inside APIM!

Here is policy inside aad-cc.bicep file:

<inbound>
    <base />
     ...
    <set-variable name="uri" value="@{
      string oid = &quot;&quot;;
      string token = ((Authorization)context.Variables.GetValueOrDefault(&quot;auth-context&quot;))?.AccessToken;
      Jwt jwt;
      if (token.TryParseJwt(out jwt))
      {
          oid = jwt.Claims.GetValueOrDefault(&quot;oid&quot;, &quot;empty&quot;);
      }
      return &quot;/v1.0/users/&quot; + oid;
  }" />
  <rewrite-uri template="@((string)context.Variables[&quot;uri&quot;])" copy-unmatched-params="false" />
</inbound>

This policy is extract object id from access token, I am not sure what the oid inside access token stand for, and I got 404 error when use this policy. (tip: my tenant of the AAD is different from where APIM hosted)

I think the policy show be as below to obtain oid from query parameter objectid, if objectid is empty, it will list all the users inside the tenant:

<rewrite-uri template="@("v1.0/users/" + context.Request.Url.Query.GetValueOrDefault("objectid",""))" copy-unmatched-params="false" />