The server should run with no internet access

The JWT bearer auth service normally retrieves the OIDC meta data from Azure AD automatically. There needs to be an option to supply this externally.

It should watch a config on disk and live update if it changes.

Documentation should highlight this can only work with implict id_tokens and not auth code grant flow.