I've got my head around ADFS talking to Office 365 talking to Exchange Online. Subscribers are involved.
And similarly ADFS talking to Azure AD. Logically, the public is involved, should I have issued someone an identity from my namespace.
Now comes my headache (and this may be because I'm old and frail , security engineering wise).
I have Exchange Online talking to my hosted app site, which can obtain an Exchange-issued JWT. Logically, this is used by a UA co-resident in the app site that call a (token-consuming) webservice (on the same hosting site).
The token identifies the exchange user/mailbox ; which is tied to the Ofice365 subscription, which ties to ADFS - all tied ultimately to the ImmutableID.
Since I have to verify the token as someone offering a data API, I was desperately hoping that my (ping identity) security server's verify JWTs service could cooperate with other JWT issuers (like ExchangeOnline) to verify the token. But it cannot. JTW verification would be rather like OCSP verification for certs (in that a validation server could chain off request to other nodes , should the local node not be authoritative).
Now, folks realize with the way Ofice36 identitesi work (4 subscribers) vs Azure AD identifies (for the the public) either can be accessing my web service, presenting a JWT. After all, not all apps are plugins to an Exchange subscriber's mailbox. But, in one case I have to verify a JWT I issue as an authority (since Azure AD doesn't do that for us); whereas in the other case I have to use Exchange's JWT verification service - since Exchange DOES issue JWTs for Office 365 users using an app that extension outlook mail content rendering.
Its all very confusing. Im still struggling to place "Azure AD". I'm settled on how it enables access to its OWN graph API by "directory apps". And, obviously its easy to see Azure AD in its websso asserting party role. But, Azure AD in the JWT issuing/validation role is less clear. That seems to be based on doing what we did a long time in ago in the OCSP world (when validating certs issued b others) with JWTs; but I don't see any story on that in any forum.
No question. Just architectural confusion.