Major Description
Some JWT access token from azure (issued for the graph API) contain a nonce within the JWT header. Trying to validate this access token with CXF fails. Azure access token without a nonce can be validated successfully.
Here is my example access token
eyJ0eXAiOiJKV1QiLCJub25jZSI6IndSNWNyaGdrbG1HSWZrWF9pdXN5bDdJOEwzdjRZcWZfNzc3eUxzYV9GRTAiLCJhbGciOiJSUzI1NiIsIng1dCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyIsImtpZCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyJ9.eyJhdWQiOiIwMDAwMDAwMy0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9lODAyY2ZkNi0zMzE0LTRhMTItODk3OC0wZWZkNTg3NTAyMmIvIiwiaWF0IjoxNjMwOTEwODgyLCJuYmYiOjE2MzA5MTA4ODIsImV4cCI6MTYzMDkxNDc4MiwiYWNjdCI6MCwiYWNyIjoiMSIsImFpbyI6IkFVUUF1LzhUQUFBQUpLZnZzSDJtalh1aFBRQ242T3lVK09GNm9WV00yb2hTZ2k2bVBCT1RnZTJIMEF3MVNLcUhIWGVBeCtOc1ZKQnF6R3dGM2hScWNWMm1zanVCZ0owRm13PT0iLCJhbXIiOlsicHdkIiwibWZhIl0sImFwcF9kaXNwbGF5bmFtZSI6IkdyYXBoIEV4cGxvcmVyIiwiYXBwaWQiOiJkZThiYzhiNS1kOWY5LTQ4YjEtYThhZC1iNzQ4ZGE3MjUwNjQiLCJhcHBpZGFjciI6IjAiLCJmYW1pbHlfbmFtZSI6IkJlcm5oYXJkdCIsImdpdmVuX25hbWUiOiJKYW4iLCJpZHR5cCI6InVzZXIiLCJpcGFkZHIiOiI5My4yMDUuMjQ1LjI2IiwibmFtZSI6IkphbiBCZXJuaGFyZHQiLCJvaWQiOiI5M2RkYTMzNy1iN2ZhLTQ4ZWQtOTg4Ny0zN2Y1OWYyN2ExMDUiLCJwbGF0ZiI6IjMiLCJwdWlkIjoiMTAwMzIwMDE3NjZBNDg2QiIsInJoIjoiMC5BUzhBMXM4QzZCUXpFa3FKZUE3OVdIVUNLN1hJaTk3NTJiRklxSzIzU05weVVHUXZBSGsuIiwic2NwIjoiRGlyZWN0b3J5LkFjY2Vzc0FzVXNlci5BbGwgRGlyZWN0b3J5LlJlYWQuQWxsIEdyb3VwLlJlYWQuQWxsIEdyb3VwTWVtYmVyLlJlYWQuQWxsIG9wZW5pZCBwcm9maWxlIFVzZXIuUmVhZCBlbWFpbCIsInN1YiI6IjQ4d083M2JwMEhmUHZCcHdFeUpVbXdlR3UtaElJZmxVOHlkaGdVb2FNQ2MiLCJ0ZW5hbnRfcmVnaW9uX3Njb3BlIjoiRVUiLCJ0aWQiOiJlODAyY2ZkNi0zMzE0LTRhMTItODk3OC0wZWZkNTg3NTAyMmIiLCJ1bmlxdWVfbmFtZSI6ImFkbWluQGphbmJlcm5oYXJkdC5vbm1pY3Jvc29mdC5jb20iLCJ1cG4iOiJhZG1pbkBqYW5iZXJuaGFyZHQub25taWNyb3NvZnQuY29tIiwidXRpIjoiUTBWQVBWX0NMVTJTbmt4NjJJZUlBQSIsInZlciI6IjEuMCIsIndpZHMiOlsiNjJlOTAzOTQtNjlmNS00MjM3LTkxOTAtMDEyMTc3MTQ1ZTEwIiwiYjc5ZmJmNGQtM2VmOS00Njg5LTgxNDMtNzZiMTk0ZTg1NTA5Il0sInhtc19zdCI6eyJzdWIiOiJpbmFoaEhnbmpQLUhwb1BRdXYtbDZHTThLeWl2SUVSVTRFdXRwWk50YmxnIn0sInhtc190Y2R0IjoxNjMwMzEwMTIyfQ.UQT2ZSWJYCpHirwNhcnHil3MiVeujpOiYSDIlnINr9CWxCOojKfSNIdFEA_uwFkXKGbHRZj06mry6PXLwIq0MtdIti2ZVzgW1jporUfwoT_7635R5FyYVvkr7-78Ajg5UQUHhS_R5gIo5LyhYu26T55rZXhjE5ySwTYO9TwPMuywzDgckyDVXBZDpVlu5GbrC7rZLB_4N504tX3WX3N30ZHTN7wJQ4rW0IDa9Nvk_5aH0ge1x-4H62L-ZvqYl4S6rThOUS9PD1JkhihptHSOnLC9YbQvkv1sbN2lxBtDsz5w3P7Kc18IFIvHywAgxFTQettwRX023TSfnJf6-ZuxhA
I used the matching certificate from: https://login.microsoftonline.com/common/discovery/v2.0/keys for my validation:
MIIDBTCCAe2gAwIBAgIQN33ROaIJ6bJBWDCxtmJEbjANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTIwMTIyMTIwNTAxN1oXDTI1MTIyMDIwNTAxN1owLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKGiy0/YZHEo9rRn2bI27u189Sq7NKhInFz5hLCSjgUB2rmf5ETNR3RJIDiW1M51LKROsTrjkl45cxK6gcVwLuEgr3L1TgmBtr/Rt/riKyxeXbLQ9LGBwaNVaJrSscxfdFbJa5J+qzUIFBiFoL7kE8ZtbkZJWBTxHEyEcNC52JJ8ydOhgvZYykete8AAVa2TZAbg4ECo9+6nMsaGsSBncRHJlRWVycq8Q4HV4faMEZmZ+iyCZRo2fZufXpn7sJwZ7CEBuw4qycHvUl6y153sUUFqsswnZGGjqpKSq7I7sVI9vjB199RarHaSSbDgL2FxjmASiUY4RqxnTjVa2XVHUwUCAwEAAaMhMB8wHQYDVR0OBBYEFI5mN5ftHloEDVNoIa8sQs7kJAeTMA0GCSqGSIb3DQEBCwUAA4IBAQBnaGnojxNgnV4+TCPZ9br4ox1nRn9tzY8b5pwKTW2McJTe0yEvrHyaItK8KbmeKJOBvASf+QwHkp+F2BAXzRiTl4Z+gNFQULPzsQWpmKlz6fIWhc7ksgpTkMK6AaTbwWYTfmpKnQw/KJm/6rboLDWYyKFpQcStu67RZ+aRvQz68Ev2ga5JsXlcOJ3gP/lE5WC1S0rjfabzdMOGP8qZQhXk4wBOgtFBaisDnbjV5pcIrjRPlhoCxvKgC/290nZ9/DLBH3TbHk8xwHXeBAnAjyAqOZij92uksAv7ZLq4MODcnQshVINXwsYshG1pQqOLwMertNaY5WtrubMRku44Dw7R