Ability to configure max lifetime of private_key_jwt

[jblazek]

With JWT client assertions/private_key_jwt, the client generates and signs a JWT and chooses a lifetime.

In order to prevent clients from choosing a very long lifetime, it would be useful to have a config option to limit the max lifetime of client assertions to some timespan to prevent this.

Otherwise a client might issue a signed JWT which doesn't expire for a very long time and diminish the security benefits of the private key JWT.

Then possibly the JwtRequestValidator could check this configuration option and reject validation if it exceeds the allowed lifetime.

[wcabus]

Thanks for this suggestion to improve private_key_jwt validation. We've added it to our backlog!