This is an error in the OpenID validation, which means that the claims that was received doesn’t have the same issuer as the one fetched from the :openid_configuration_uri path. For Azure this URL would be:
In short, you have to enable multi-tenancy in your app on Azure, and then update the application code to handle the issuer right:
Therefore, a multi-tenant application can’t validate tokens just by matching the issuer value in the metadata with the issuer value in the token. A multi-tenant application needs logic to decide which issuer values are valid and which are not based on the tenant ID portion of the issuer value.
Hmm, that lib is using oauth2, instead of OIDC and doesn’t seem like it does any validation of the token. I feel OIDC is the safer choice. I’ll go over this tomorrow, thanks for opening the issue!