return err
		}
	}

	if !jwtToken.Valid {
		return ErrTokenExpired
	}

	if err = updateClaimsExpiry(dsecs, mclaims); err != nil {
		return err
	}

	if err = r.updateUserinfoClaims(ctx, arn, accessToken, mclaims); err != nil {
		return err
	}

	// Validate that matching clientID appears in the aud or azp claims.

	// REQUIRED. Audience(s) that this ID Token is intended for.