[Feature Request] Validate token with mandatory encryption #3366
Description
Is your feature request related to a problem? Please describe.
A JWE is supposed to ensure both confidentiality and integrity of the token, but the method ValidateTokenAsync will return a valid token result even when the token is not encrypted, which in my view is a trap that can catch many unaware developers.
Describe the solution you'd like
When providing decryption keys, token encryption should be mandatory, and only tokens encrypted with the given keys should be considered valid. Making the encryption optional should be set explicitly by the developer, like the RequireSignedTokens property, we can have RequireEncryptedTokens that should be set by default to true.
Describe alternatives you've considered
Alternative is to use signed tokens in addition to the encryption, but this adds considerable length to the tokens, which is just unnecessary in most cases.
Additional context
No additional context.