179 handles the case for an Entra application that allows signins from a single tenant. For Entra applications that allow signins from personal and enterprise accounts, the https://login.microsoftonline.com/common/v2.0 issuer is used which returns a metadata document with issuer set to https://login.microsoftonline.com/{tenantid}/v2.0.
This PR adds ProviderMetadata::discover_with_options and ProviderMetadata::discover_async_with_options to disable the issuer validation required by the OIDC spec. I think this is more discoverable than the proposed route in #122 of wrapping http_client to munge the response.
In the example require_issuer_match is disabled on the IdTokenVerifier because the ID token has the iss claim set with the specific tenant ID of the account which is not a static value.
179 handles the case for an Entra application that allows signins from a single tenant. For Entra applications that allow signins from personal and enterprise accounts, the
https://login.microsoftonline.com/common/v2.0issuer is used which returns a metadata document withissuerset tohttps://login.microsoftonline.com/{tenantid}/v2.0.This PR adds
ProviderMetadata::discover_with_optionsandProviderMetadata::discover_async_with_optionsto disable theissuervalidation required by the OIDC spec. I think this is more discoverable than the proposed route in #122 of wrapping http_client to munge the response.In the example
require_issuer_matchis disabled on theIdTokenVerifierbecause the ID token has theissclaim set with the specific tenant ID of the account which is not a static value.