Invalidate JWT after 5 minutes

[macdonst]

Expected Behaviour

Once a bearer token has been generated the JWT token should be invalidated so it can't be re-used.

Actual Behaviour

The JWT token expires after 24 hours which is nice in testing but not so much in production.

Reproduce Scenario (including but not limited to)

Steps to Reproduce

Just generate a bearer token

Platform and Version

Any version up to 0.2.0.

Sample Code that illustrates the problem

Use sample code from readme.md

[fmeschbe]

A JWT token cannot be invalidated. It just has an expiry and is signed. What you really want to do is create a short expiry time for the signed JWT in https://github.com/adobe/jwt-auth/blob/master/index.js#L47: Currently it is ~24h (87000s).

I suggest to reduce this to max 5 minutes (which looks like ample time for exchanging it for an access token).

[macdonst]

@fmeschbe that's what I'm currently doing. I've reduced the expiry down to 5 minutes.

However, with IMS you can set a jti property in the JWT and if IMS sees it a second time it will reject it. I'm also looking into that possibility to make it more secure.

[fmeschbe]

Correct, but doesn't JTI have to be setup in the technical account binding for it to be useable in a JWT ? I might be wrong, though.

[macdonst]

@fmeschbe yup, that's what it looks like. I'm going to push the change on the JWT expiry momentarily. I'll take the jti conversation over to slack with you.