feat: ias token validation (#1862)

Co-authored-by: Johannes Vogel <31311694+johannes-vogel@users.noreply.github.com>
Co-authored-by: René Jeglinsky <rene.jeglinsky@sap.com>

Author: 3 people

node.js/authentication.md

@@ -369,6 +369,28 @@ npm add @sap/xssec
 ```
 :::
 
+#### Token Validation
+
+For tokens issued by SAP Cloud Identity Service, `@sap/xssec` offers two additional validations: (1) token ownership via x5t thumbprint and (2) proof-of-possession.
+These validations are enabled by default for requests to the app's `cert` route (`.cert` segment in the domain).
+
+The default behavior can be overwritten using additional configuration as follows:
+
+```json
+"requires": {
+  "auth": {
+    "kind": "ias",
+    "config": { // passed to @sap/xssec as is
+      "validation": {
+        "x5t": { "enabled": false },
+        "proofToken": { "enabled": false }
+      }
+    }
+  }
+}
+```
+
+Please see [`@sap/xssec` documentation](https://www.npmjs.com/package/@sap/xssec) for more details.
 
 ### Custom Authentication { #custom }