Customize JWT expiration

I would like to set up a service using JWT where the token expires 15 minutes after the last use.

As far as I can tell, I cannot use a property of the JWT itself for that, since it can give one specific expiration date/time, but can’t update the expiration after each use.

Instead, I plan to have a REST service that you call with the token and it will track the usage and return an HTTP 200 or 403 depending on whether the token is still “live” (has been issued or used within the last 15 minutes, based on other calls to the same validation service).

My understanding is that I could do this with a JavaScript middleware (make a REST call to the validator service and examine the result). If that’s the right approach, I have three questions:

  1. Would the middleware execute before or after Tyk has validated the JWT token? (I would prefer after, so the middleware isn’t called if the token is already known to be invalid, but I can work with it either way.)
  2. How can a JavaScript middleware access the JWT token that was supplied with the request? Will it still be present in the Authorization request header or is there a better way?
  3. In the case where the token should be expired, how can the middleware cause Tyk to reject the request with an HTTP 403 without ever going on to call the back-end service?

Thanks for any help on this!

Hi ammulder, you may check the middleware types to understand how they get executed, a POST middleware will get executed after the authentication process.

A POST middleware will have access to the session object.