Creates an ID token validator.

The validator caches discovery documents and JWKS to minimize network requests. Cache TTL is 1 hour by default.

Returns: A validator map containing the discovery client and JWT validator.

Extracts the email from validated claims.

Returns the email only if email_verified is true (or not present, as some providers don’t include it when email is always verified).

Extracts the subject (user ID) from validated claims.

The subject is the unique identifier for the user within the provider’s system. This value is stable across logins for the same user.

Checks if a token’s expiration time has passed.

Takes the claims from a validated token and returns true if the token has expired. Returns false if no exp claim is present. Useful for checking cached tokens.

Validates an ID token from any OIDC provider (JVM, synchronous).

Arguments: validator - Created by create-validator opts - Map with: :id-token - The JWT ID token string :issuer - Expected issuer URL (e.g., ‘https://accounts.google.com’) :audience - Expected audience (your client ID) :nonce (optional) - Expected nonce value for replay protection

Returns: {:valid? true :claims {…}} on success {:valid? false :error “description”} on failure