Create a cache for JWK public keys.
`pubkeys-expire-in` is the TTL for the entries of the cache,
expressed in seconds

Create a cache for validated tokens.
The cache is limited in size to `max-cached-tokens`, and uses a LRU
eviction strategy when the limit is reached. Individually, each
token is evicted when its time to live (TTL), expressed in
milli-seconds, is reached.

Default value for the number of cached tokens

TTL for failed token validations, expressed in milli-seconds

Get the public keys from the JWKS at `jwks-uri`, using `pubkey-cache` for caching results.
Returns a collection with the public keys or `nil` if the JWKS content
is not available, or doesn't contain valid public keys.

Get the public keys from the JSON Web Key Set at `jwks-uri`.
Returns a collection with the public keys extracted from the JWKS,
or `nil` if it can't retrieve them. Logs to `logger` any relevant
issues that may prevent the key set from being retrieved.

Retrieve given `url`. Uses timeout for the connection and follows redirects.
Logs to `logger` any relevant issues that may prevent the url from
being retrieved. Returns `nil` if the connection cannot be
stablished, the content cannot be retrieved or the status response
is not 2xx.

Initial delay for retries, specified in milliseconds.

Maximun delay for a connection retry, specified in milliseconds. We
are using truncated binary exponential backoff, with `max-delay` as
the ceiling for the retry delay.

Retry attempts for JKW keys retrieval

One day, expressed in seconds

Set the TTL cache value (expressed in milli-seconds) for `token`

See https://tools.ietf.org/html/rfc7518#section-6.4 for details

See https://tools.ietf.org/html/rfc7518#section-3.1 and
https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms
for details. `jws/decode-header` returns the standard algorithm
names as lower-case keywords, so specify them here as such. 

Timeout, in milli-seconds, for JWK keys retrieval through HTTP request

Validate OpenId Connect ID `token`, using `pubkey`.
The `claims` map should contain at least the following keys:

  :iss Case-sensitive URL for the Issuer Identifier.
  :aud Audience(s) the ID Token is intended for.

If the token is valid, a map is returned with the following keys:

  :sub The identity (subject) extracted from the token (if valid).

  :exp The expiry time (exp) extracted from the token (if valid), as a
       number representing the number of seconds from 1970-01-01T00:00:00Z
       as measured in UTC.

  If the token is not valid, it returns `nil`.

Validate OpenID Connect ID `token`, caching results to speed up recurrent validations.
Returns the `:sub` claim from the token, or `nil` if the token is
invalid. Logs to `logger` any relevant issues that may prevent
tokens from begin validated.
`config` is a map with at least the following keys:

:pubkey-cache A `clojure.core.cache` compatible instance, to cache the public keys
            of the Issuer.
:token-cache A `clojure.core.cache` compatible instance, to cache token validation results.
:jwks-uri The URL of the config (OpenID Connect Provider) JSON Web Key Set document.
:claims A map with the claims that the token must satisfy. At least
       the following keys must exist:
           :iss Case-sensitive URL for the Issuer Identifier.
           :aud Audience(s) the ID Token is intended for.

Validate an OpenId Connect ID `token` against the token issuer.
`pubkeys` is a collection of public keys that can have signed the
token. The `claims` map should contain at least the following
keys:

  :iss Case-sensitive URL for the Issuer Identifier.
  :aud Audience(s) the ID Token is intended for.

A map is returned with the following keys:

  :sub The identity (subject) extracted from the token if valid. Otherwise, `nil`.

  :exp The expiry time (exp) extracted from the token if valid, as a number
       representing the number of seconds from 1970-01-01T00:00:00Z as
       measured in UTC. Otherwise, `nil`.