Support AAD JWT token validation more directly using AAD metadata
There is currently a way to validate JWT tokens in the policies. This is great. However, it could be done better in the case the JWT tokens are issued by AAD. In that case one would like to give the tenant ID of AAD and the Application ID that is assigned to the API. This way the policy would automatically extract the valid certificate from AAD metadata (something like https://login.microsoftonline.com/38cda3b4-71fa-4748-a48e-e50ef1ebfe00/federationmetadata/2007-06/federationmetadata.xml).
That would prevent us from having to do this manually each time the global AAD certificate changes (next one is before mar 2019). It would be more in the spirit of the way Owin does it. (The issuer could also be automated)
Hi, not sure I understand the request correctly, but this is supported today: https://docs.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#ValidateJWT