Tyk & JWT Inactivity Timeout

I’ve managed to set Tyk up with an external JWT token generator – yay!

The next question is, we would like to stop honoring a given JWT after 15 minutes of inactivity (but a user could keep using the same token indefinitely so long as they’re actively using it). Is there any way in Tyk to track a token’s usage and disable it after a period of inactivity?

On a side note, I plan to extract certain claims from the token and populate them into request parameters (for instance, to provide the username and related data encoded in the token to the back-end services without them all needing the token-decoding logic). I saw a post saying you could do this in a custom Tyk plugin, which I plan to explore. It sounds like a nice feature for a future release, though – if I could just specify the origin claim name (including the standard “sub” as well as custom claims) and destination request parameter name, for a list of claims, and Tyk had logic to move the claims to request parameters, that would be awesome.

JWTs tend to come with an expiry, and Tyk will enforce that. You would need to do some custom middleware there to evaluate access times and extend expiry. It’s not something that Tyk can do out of the box.

I believe this has been released in one of the patches of v2.2 for custom JWTs, you can extract the claims using the header injector and the $tyk_context.jwt_claims_{claim_name} namespace.

This isn’t available with OIDC yet though, that will come in v2.3