OAUTH2 azuread authentication via UseOAuthBearerAuthentication

Question

I have working middleware using deprecated Azure AD authentication. It looks like this.

    public partial class Startup
    {

        public void ConfigureAuth(IAppBuilder app)
        {
            app.UseWindowsAzureActiveDirectoryBearerAuthentication(
                new WindowsAzureActiveDirectoryBearerAuthenticationOptions
                {
                    Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
                    TokenValidationParameters = new TokenValidationParameters
                    {
                        ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
                    },
                });
        }
    }

However, I switched to use OAuthBearerAuthenticationOptions

using Microsoft.Owin;
using Microsoft.Owin.Security.Jwt;
using Microsoft.Owin.Security.OAuth;
using Owin;
using System.Configuration;
using Microsoft.IdentityModel.Tokens;
using WebProj.Other.SettingsState;
using System.Text;

[assembly: OwinStartup(typeof(WebProj.Startup))]

namespace WebProj
{
    public class Startup
    {
        public void Configuration(IAppBuilder app)
        {
            app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
            {
                AccessTokenFormat = new JwtFormat(new Microsoft.IdentityModel.Tokens.TokenValidationParameters
                {
                    ValidAudience = ConfigurationManager.AppSettings["ida:Audience"],
                    ValidIssuer = ConfigurationManager.AppSettings["ida:Tenant"], 
                })
            });
        }
    }
}

When I try to call my API from Postman, secured with a valid Azure AD client credential flow bearer token, I get this error in the console window. Same everything apart from the 2 differing code blocks using slightly different middleware. The Azure AD version works, the standard OWIN one complains.

Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware Error: 0 : Authentication failed
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match keys: 
kid: '[PII is hidden]', 
token: '[PII is hidden]'.
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.Owin.Security.Jwt.JwtFormat.Unprotect(String protectedText)
   at Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationHandler.<AuthenticateCoreAsync>d__3.MoveNext()

It feels like the OWIN middleware cannot obtain the public signing key? I can't be sure. Do I have to grab it from somewhere and supply it directly or something? If so how and where to find?

The audience and tenant look like this (actual guids replaced with random guids for this example)

<add key="ida:Audience" value="https://sslwebb2c.onmicrosoft.com/5016003D-29FE-4782-9041-49914444D94E"/>
<add key="ida:Tenant" value="C0B2D865-031C-4C85-9A5E-367D83F578D3"/>

I added this to the web.config to debug output in the console window.

<system.diagnostics>
  <sources>
    <source name="Microsoft.Owin.Security" switchValue="Verbose">
      <listeners>
        <add name="console" />
      </listeners>
    </source>
    <source name="Microsoft.IdentityModel" switchValue="Verbose">
      <listeners>
        <add name="console" />
      </listeners>
    </source>
  </sources>
  <sharedListeners>
    <add name="console" type="System.Diagnostics.ConsoleTraceListener" initializeData="false" />
  </sharedListeners>
  <switches>
    <add name="Microsoft.IdentityModel" value="Verbose" />
    <add name="Microsoft.Owin.Security" value="Verbose" />
  </switches>
</system.diagnostics>