Description

PR #43444 introduces the JWTAuthorizationGrantValidationContext class to perform initial validation of the provided JWT assertion with the authorization grant. Some improvements can be made to the validation process:

• Reduce code duplication — in particular, avoid duplicating logic that validates if the token is active. It might be good to reuse AbstractJWTClientValidator.
• Improve handling of maximum exp time and clock skew, which are currently hardcoded with default values.
• Add replay check for assertions by maintaining a set of used jti values to prevent JWT replay attacks.
• Validate other claims (iat, nbf) when present, even though they are not mandatory for the RFC.