I have added bearer token authentication on an API for a client. In the access token that's sent to the API, the issuer is this: http://[some-domain.com]/adfs/services/trust.
Is the identity provider configured incorrectly or in an unsafe way when this URL is on HTTP, and not HTTPS? Or is this simple just a string, not used to make requests, and thus it doesn't matter if it says HTTP?
The iss claim is a string or URI, which means that the service receiving the token will use it to determine whether to trust the token or not by comparing the value to a list of issuers it is configured to trust.
The string comparison should follow the rules described in RFC 3986
The value is not a URL, so the value does not point to any real resource on the network.
See RFC 7519 for more information on JWT and standard claims.