MicrosoftHi adrian_hall,
I agree that having a fixed list of Client IDs seems a significant drawback to implementing this policy vs validate-jwt. Setting of permissions should be done in AAD and therefore be dynamic, rather than updating every product, API or (heaven forbid) API Operation with the list of valid client ids.
In Validate JWT, you check the issuer (is your Tenant), check the Audience (your API or group of APIs through App Registrations) and the Claim (your API Permissions). As long as you trust the issuer then the audience and claims authorised by that entity should be enough regardless of who the client is.
Understand that it sounds like the validate-azure-aad-token improves the real-time nature of the check against AAD rather than just looking at the token, but at the expense of having to update code each time a new user is onboarded? Am I missing something?
Thanks,
Jason
