validateUser() fails for Microsoft EntraID MultipleOrganizations #168
Description
We are using Microsoft EntraID authentication, and the application allows for multiple tenants to login, so we have to use the discoveryUri for 'organizations' instead of a specific tenant (https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration). The issuer uri for this configuration is 'https://login.microsoftonline.com/{tenantid}/v2.0', but the tokens returned from the authorize endpoint have the specific tenant issuer, e.g. 'https://login.microsoftonline.com/11c43ee8-b9d3-4e51-b73f-bd9dda66e29c/v2.0'. Therefore the validation in OidcUserManagerBase.validateUser() fails with 'Issuer does not match. Expected https://login.microsoftonline.com/{tenantid}/v2.0, was https://login.microsoftonline.com/11c43ee8-b9d3-4e51-b73f-bd9dda66e29c/v2.0'.
As a workaround we manipulate the discoveryDocument after init() and remove the issuer, but this seems like a hack imho and there should be options to specify how/which parts of the token should be validated, or maybe the possibility to provide a custom validation?