I am implementing a Azure AD authentication scheme currently, and have been reading up on validating accesstokens, but have found conflicting information about using the certificate from the x5c claim to validate a tokens validity.
As I am only working with Azure AD, I am getting the jwks set from the jwks_url found in https://login.microsoftonline.com/[TENANTID]/.well-known/openid-configuration, which is hardcoded in my application and not supplied or extracted from the accesstoken in any way.
I can't see any issues in using the certificate, as it is being retrieved from a trusted URL, but is there something I am not aware of? I have not done that much work with token based authentication.