JWT validation does not validate signature and lifetime

[m-jevremovic-un1]

Hello, I would appreciate your help on this one.

I am using:
.Net Core 7.0
HotChocolate 13.0.5

Program.cs config:

builder.Services
    .ConfigureAuthentication(builder.Configuration)
    .AddAuthorization()
    .AddCore()
    .AddInfrastructure()
    .AddHttpContextAccessor()
    .AddSingleton<ICurrentRequest, CurrentHttpRequest>()
    .ConfigureHsts()
    .ConfigureCors(builder.Environment, builder.Configuration)
    .ConfigureHttpJsonOptions(options =>
    {
        options.SerializerOptions.WriteIndented = true;
        options.SerializerOptions.Converters.Add(new JsonStringEnumConverter());
    })
    .ConfigureGraphQl(builder.Environment)
    .AddHealthChecks()
    .AddDbContextCheck<ApplicationDbContext>();

This is how I have configured Authentication:

 public static IServiceCollection ConfigureAuthentication(
        this IServiceCollection services, 
        IConfiguration configuration)
    {
        services
            .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
            .AddJwtBearer(options =>
            {
                var jwtSettings = configuration
                    .GetRequiredSection(nameof(JwtSettings))
                    .Get<JwtSettings>()!;

                var signingKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtSettings.SecretKey));
                
                options.Authority = jwtSettings.Authority;
                options.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuer = true,
                    ValidIssuer = jwtSettings.Issuer,
                    ValidateAudience = true,
                    ValidAudience = jwtSettings.Audience,
                    ValidateLifetime = true,
                    RequireExpirationTime = true,
                    ValidateIssuerSigningKey = true,
                    IssuerSigningKey = signingKey,
                    RequireSignedTokens = true,
                    ClockSkew = TimeSpan.Zero
                };
            });

        return services;
    }

This is how I configured gql:

 public static IServiceCollection ConfigureGraphQl(
        this IServiceCollection services,
        IHostEnvironment environment)
    {
        
        IReadOnlySchemaOptions capturedSchemaOptions = null!;
        services
            .AddGraphQLServer()
            .AddAuthorization()
            .AddMutationType(x => x.Name(OperationTypeNames.Mutation))
            .AddQueryType(x => x.Name(OperationTypeNames.Query))
            .AddCoreTypes()
            .AddWebApiTypes()
            .AddErrorFilters()
            .RegisterDbContext<ApplicationDbContext>(DbContextKind.Pooled)
            .SetPagingOptions(new PagingOptions
            {
                IncludeTotalCount = true,
                MaxPageSize = 25,
                DefaultPageSize = 25
            })
            .AddProjections()
            .AddFiltering<CustomFilterConvention>()
            .AddSorting()
            .ModifyOptions(schemaOptions =>
            {
                schemaOptions.EnableOneOf = true;
                schemaOptions.DefaultResolverStrategy = ExecutionStrategy.Parallel;
                capturedSchemaOptions = schemaOptions;
            })
            .ModifyRequestOptions(x => x.IncludeExceptionDetails = !environment.IsProduction())
            .AddApplicationTypeNamingConventions(() => capturedSchemaOptions)
            .AllowIntrospection(true)
            .AddSocketSessionInterceptor<SocketAuthenticationInterceptor>()
            .AddInMemorySubscriptions();

        services.AddHttpResponseFormatter<OkStatusCodeHttpResponseFormatter>();

        return services;
    }

Middleware:

application
    .UseConfiguredHealthChecks()
    .UseAuthentication()
    .UseAuthorization()
    .UseMiddleware<CurrentUserMiddleware>()
    .UseEnrichedLogging();

The problem I am facing that authentication/authorisation works as expected if I use some random token (401 is properly set), but it does not work as expected if token has expired or it has invalid signature or it does not have signature at all. In that case I am passing authentication and I can access resource, even id token is expired, or signature is not present.

Am I missing something or I have not configured something?