ValidatorAccessTokenValidator is an implementation of AccessTokenValidator that is used
by the broker to perform more extensive validation of the JWT access token that is received
from the client, but ultimately from posting the client credentials to the OAuth/OIDC provider's
The validation steps performed (primary by the jose4j library) are:
Creates a new ValidatorAccessTokenValidator that will be used by the broker for more
thorough validation of the JWT.
clockSkew - The optional value (in seconds) to allow for differences
between the time of the OAuth/OIDC identity provider and
the broker. If null is provided, the broker
and the OAUth/OIDC identity provider are assumed to have
very close clock settings.
expectedAudiences - The (optional) set the broker will use to verify that
the JWT was issued for one of the expected audiences.
The JWT will be inspected for the standard OAuth
aud claim and if this value is set, the
broker will match the value from JWT's aud
claim to see if there is an exact match. If there is no
match, the broker will reject the JWT and authentication
will fail. May be null to not perform any
check to verify the JWT's aud claim matches any
fixed set of known/expected audiences.
expectedIssuer - The (optional) value for the broker to use to verify that
the JWT was created by the expected issuer. The JWT will
be inspected for the standard OAuth iss claim
and if this value is set, the broker will match it
exactly against what is in the JWT's iss
claim. If there is no match, the broker will reject the JWT
and authentication will fail. May be null to not
perform any check to verify the JWT's iss claim
matches a specific issuer.
verificationKeyResolver - jose4j-based VerificationKeyResolver that is used
to validate the signature matches the contents of the header
scopeClaimName - Name of the scope claim to use; must be non-null
subClaimName - Name of the subject claim to use; must be