If I create an OAuth2/OIDC client using this library and the oauth2 golang package, it will not work with AzureAD - as it fails to verify the ID token received in the code exchange procedure during callback...

https://sts.windows.net/MY_TENANT_ID_HERE/.well-known/openid-configuration contains "id_token_signing_alg_values_supported":["RS256"] meaning it'll intend to sign the ID tokens with RS256. However, when I exchange my code for a token, the JWS has a single signature with none as the alg:

// exchange token with pkce verifier
token, err := oauth2Config.Exchange(
	r.Context(),
	code,
	oauth2.SetAuthURLParam("code_verifier", codeVerifierStr)) // pkce

idTokenStr := token.Extra("id_token"))
idToken, err := idTokenVerifier.Verify(r.Context(), idTokenStr)
// BANG: err will always be "failed to verify id token signature"

After inspecting the idTokenStr using jwt.io, I can see that it doesn't have a signature 😢 .
When stepping through the code, I can see that if I create a verifier using this code:

idTokenVerifier := *auth.Verifier(&oidc.Config{ClientID: clientID})

...and not specifying SupportedSigningAlgs, it'll default to the ones in the directory. Therefore, I tried to manually add "none" as a supported algorithm. It gets further, but still fails inside idTokenVerifier.Verify 😢 .

Therefore, this library has no method of verifying an unsigned id token - which is the behaviour AzureAD exhibits.

I realise this behaviour may be incorrect and one could argue that this is a bug with AzureAD however, I believe this library should still allow me to override the signature check under the same vein you allow me to SkipClientIDCheck, SkipExpiryCheck and SkipIssuerCheck.