I would like to set up a service using JWT where the token expires 15 minutes after the last use.
As far as I can tell, I cannot use a property of the JWT itself for that, since it can give one specific expiration date/time, but can't update the expiration after each use.
Instead, I plan to have a REST service that you call with the token and it will track the usage and return an HTTP 200 or 403 depending on whether the token is still "live" (has been issued or used within the last 15 minutes, based on other calls to the same validation service).
- Would the middleware execute before or after Tyk has validated the JWT token? (I would prefer after, so the middleware isn't called if the token is already known to be invalid, but I can work with it either way.)
- In the case where the token should be expired, how can the middleware cause Tyk to reject the request with an HTTP 403 without ever going on to call the back-end service?
Thanks for any help on this!