In #5809 an issuer constraint has been added to match the issuer against the token.iss.

However the issuer url and the issuer constraint might differ

• For AAD, the issuer url might be https://[login.microsoftonline.com/common/v2.0/.well-known/openid-configuration, but the constraint in the file is https://login.microsoftonline.com/{tenantid}/v2.0, meaning that we probably should check the domain
• However, for https://limited.facebook.com/.well-known/openid-configuration/ has the issuer constraint https://www.facebook.com, so probably we have to check the subdomain.

It's up to this ticket to make further investigation and decide how to proceed.

Closed in #6175