Address code review feedback: fix token expiration, add validation, improve docs

Co-authored-by: rujche <171773178+rujche@users.noreply.github.com>

Author: Copilot

sdk/keyvault/azure-security-keyvault-jca/README.md

@@ -197,10 +197,11 @@ System.out.println(result);
 Note if you want to use Azure managed identity, you should set the value of `azure.keyvault.uri`, and the rest of the parameters would be `null`.
 
 #### Authentication with Access Token
-If you want to use a pre-obtained bearer token for authentication (e.g., for multi-factor authentication scenarios), you can use the `azure.keyvault.access-token` property:
+If you want to use a pre-obtained bearer token for authentication, you can use the `azure.keyvault.access-token` property:
 
 ```java
 // First, obtain your access token through your authentication flow
+// For example, authenticate with a certificate or other credential
 String accessToken = "<your-pre-obtained-access-token>";
 
 System.setProperty("azure.keyvault.uri", "<your-azure-keyvault-uri>");
@@ -214,10 +215,12 @@ KeyStore keyStore = KeyVaultKeyStore.getKeyVaultKeyStoreBySystemProperty();
 // Use the keyStore as needed for your SSL/TLS operations
 ```
 
-This approach allows you to programmatically implement multi-factor authentication by:
-1. Authenticating your service principal with a certificate (something you have)
-2. Requesting a temporary access token
-3. Using that temporary access token (something you know) for Key Vault operations
+This approach is useful in scenarios where:
+- You need to use a specific authentication flow (e.g., certificate-based authentication) to obtain a token
+- You want to manage token lifecycle and refresh independently
+- You are working in environments where managed identity or client credentials are not suitable
+
+**Note:** The provided access token is cached and used for approximately 1 hour. After that time, you will need to provide a fresh token through your application's token refresh mechanism.
 
 ### mTLS
 #### Server side mTLS

sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultLoadStoreParameter.java

@@ -65,6 +65,17 @@ public KeyVaultLoadStoreParameter(String keyVaultUri, String managedIdentity) {
         this(keyVaultUri, null, null, null, managedIdentity, null);
     }
 
+    /**
+     * Constructor for access token authentication.
+     *
+     * @param keyVaultUri The Azure Key Vault URI.
+     * @param accessToken The access token.
+     * @param useAccessToken Marker parameter to differentiate from managedIdentity constructor (pass true).
+     */
+    public KeyVaultLoadStoreParameter(String keyVaultUri, String accessToken, boolean useAccessToken) {
+        this(keyVaultUri, null, null, null, null, accessToken);
+    }
+
     /**
      * Constructor.
      *

sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/KeyVaultClient.java

@@ -227,11 +227,12 @@ private AccessToken getAccessTokenByHttpRequest() {
             if (managedIdentity != null) {
                 LOGGER.info("Using managed identity for authentication");
                 accessToken = AccessTokenUtil.getAccessToken(resource, managedIdentity);
-            } else if (providedAccessToken != null) {
+            } else if (providedAccessToken != null && !providedAccessToken.isEmpty()) {
                 LOGGER.info("Using provided access token for authentication");
                 // Create an AccessToken object from the provided token string
-                // We set an expiration far in the future since we don't know the actual expiration
-                accessToken = new AccessToken(providedAccessToken, Long.MAX_VALUE);
+                // Set expiration to 1 hour (3600 seconds) as a reasonable default since we don't know the actual expiration
+                // The token will be treated as expired after 1 hour and the caller will need to provide a new one
+                accessToken = new AccessToken(providedAccessToken, 3600);
             } else if (tenantId != null && clientId != null && clientSecret != null) {
                 LOGGER.info("Using client credentials (client ID/secret) for authentication");
                 String aadAuthenticationUri = getLoginUri(keyVaultUri + "certificates" + API_VERSION_POSTFIX,