Documentation on what JWK middleware validates #4542
Description
On https://hono.dev/docs/middleware/builtin/jwk, it states:
Specifically, it validates tokens using the provided
keys, retrieves keys fromjwks_uriif specified, and supports token extraction from cookies if thecookieoption is set.
But what exactly is being validated?
I assume it checks the integrity at the very least, using the alg and kid in the header.
Does it also check the exp/nbf fields as part of its validation?
I'm pretty sure it doesn't check aud as that's not one of the options. Neither is iss.
There's all kinds of validation for access tokens (as an example, see https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens#validate-tokens). It would be really nice to know what the middleware does, so that what it doesn't do can be implemented in a subsequent middleware.