I have an Umbraco v13 site where I want to secure endpoints on an UmbracoApiController with Bearer tokens generated through EntraID.

I have added the MS Identity API authentication with the following:

services.AddMicrosoftIdentityWebApiAuthentication(_config);

A valid token is coming through, but OpenIddict is seemingly getting to it first and returning a 401 to the API request. When I add this directly after adding the Authentication service:

services.Configure<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme, options =>
{
    options.Events.OnTokenValidated = context =>
    {
        return Task.CompletedTask;
    };
});

The API request then succeeds.

What is the approach that I should be taking here? The OpenIddict token authentication looks to be to do with Member Auth more than anything, so it doesn't seem like replacing the MS Auth with that is the right path.