public void CreateAndValidateToken_WithSecurityTokenDescriptor_ExpectCorrectBrancaTimestampAndNoIatClaim()
        {
            const string issuer    = "me";
            const string audience  = "you";
            const string subject   = "123";
            var          expires   = DateTime.UtcNow.AddDays(1);
            var          notBefore = DateTime.UtcNow;

            var handler = new BrancaTokenHandler();

            var token = handler.CreateToken(new SecurityTokenDescriptor
            {
                Issuer    = issuer,
                Audience  = audience,
                Expires   = expires,
                NotBefore = notBefore,
                Claims    = new Dictionary <string, object> {
                    { "sub", subject }
                },
                EncryptingCredentials = new EncryptingCredentials(new SymmetricSecurityKey(validKey), ExtendedSecurityAlgorithms.XChaCha20Poly1305)
            });

            var validatedToken = handler.ValidateToken(token, new TokenValidationParameters
            {
                ValidIssuer        = issuer,
                ValidAudience      = audience,
                TokenDecryptionKey = new SymmetricSecurityKey(validKey)
            });

            validatedToken.IsValid.Should().BeTrue();
            validatedToken.ClaimsIdentity.Claims.Should().Contain(
                x => x.Type == "sub" && x.Value == subject);

            var brancaToken = (BrancaSecurityToken)validatedToken.SecurityToken;

            brancaToken.Issuer.Should().Be(issuer);
            brancaToken.Audiences.Should().Contain(audience);
            brancaToken.Subject.Should().Be(subject);
            brancaToken.IssuedAt.Should().BeWithin(1.Minutes()).After(notBefore);
            brancaToken.ValidFrom.Should().BeWithin(0.Seconds()).After(notBefore);
            brancaToken.ValidTo.Should().BeWithin(0.Seconds()).After(expires);
        }