I playing with webapi and trying to setup app configuration for proper signature validation in WindowsAzureActiveDirectoryBearerAuthenticationOptions
I have noticed MetadataAddress field is not used in several examples online and in AAD auth samples: https://github.com/AzureADSamples/NativeClient-WebAPI-MultiTenant-WindowsStore/blob/master/TodoListServiceMT/App_Start/Startup.Auth.cs
When I launch the app I noticed there is a request to https://login.windows.net/common/federationmetadata/2007-06/federationmetadata.xml on app launch even though the field is not set. Is this the default value to MetadataAddress?
The tenant parameter passed in the option is enough for the middleware to determine the location of the metadata document of the corresponding Azure AD tenant. In the case of multitenant applications, as you observed that value is common. In the multitenant sample you can see that there is custom logic that takes over the verification of the issuer (what you called the "sts address" - that's more of an identifier). As you can see in the file that you linked, the options turn off the issuer validation via the switch ValidateIssuer = false. If you take a look at https://github.com/AzureADSamples/NativeClient-WebAPI-MultiTenant-WindowsStore/blob/master/TodoListServiceMT/AuthorizationFilters/MTAuthorizeAttribute.cs, you'll see that it executes logic meant to compare the issuer in the incoming token against a list of trusted issuer. Your own application might have different business logic for establishing whether the issuer of the incoming token should be trusted.