Azure Active Directory "aud" JWT parameter is ignored

[ivan-zaitsev]

Current implementation of plugin is not validating "aud" parameter from JWT token. Because of this it is possible to login from any Azure Active Directory "App registration" even if specified "Client ID" belongs to different "App registration".

It would be good to validate audience parameter from JWT token with "Client ID" from configuration for security reasons.

[srvrguy]

That's in the works. I'm moving the plugin away from the old ADAL4J library to the Nimbus OAuth 2.0 SDK. I would have used MSAL, but kept experiencing massive errors in trying to use it. Token validation is planned as part of this work.