I'm trying to validate an access token obtained from azure active directory.
I obtained the token from https://login.microsoftonline.com/{{my tenant guid}}/v2.0
The issuer in the token that comes back is https://sts.windows.net//{{my tenant guid}}/ which doesn't match.
If I check that config at .well-known/openid-configuration the issuer is as expected https://login.microsoftonline.com/....
I've found a similar issue reported on git hub here https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/560
The advice is to manually edit the manifest's json in the application registration in AAD and set "accessTokenAcceptedVersion": 2.
I've done this but it has made no difference. Why?
(Update 2025): The property is now named requestedAccessTokenVersion in the new "Microsoft Graph App Manifest". https://learn.microsoft.com/en-us/entra/identity-platform/azure-active-directory-graph-app-manifest-deprecation#attribute-differences-between-azure-ad-graph-and-microsoft-graph-formats. The default value is still null and needs to be changed to 2.
Original Answer:
So seems that changing the acceptedTokenVersion to 2 in the manifest did change but it just took time to take effect.
And yes the audience is always the client id based on my tests in v2 tokens.