python-social-auth
AzureAD: Custom signing keys not working due to missing appid
Expected behaviour
Using azuread with customs signed keys should work.
Actual behaviour
Using azuread with self signed keys the standard https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys is loaded and not https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys?appid={appid} resulting in Token error: Cannot find kid=XYZ.
Documentation
If your app has custom signing keys as a result of using the claims-mapping feature, you must append an appid query parameter containing the app ID to get a jwks_uri pointing to your app's signing key information, which should be used for validation.
Source: https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens#validating-tokens
Source code
https://github.com/python-social-auth/social-core/blob/98c81ad7f0a8231c1b4b55fe88064d364c8e9c86/social_core/backends/azuread_tenant.py#L51 and https://github.com/python-social-auth/social-core/blob/98c81ad7f0a8231c1b4b55fe88064d364c8e9c86/social_core/backends/azuread_tenant.py#L49 are interesting here.
I think it would be better to call the discovery endpoint openid-configuration with the appid and extract jwks_uri from the result.
