I am using JWT tokens to manage sessions, and I can refresh those sessions by calling checkSession – that’s all fine. What I find weird is that there is no way to invalidate the token used for checkSession meaning that if someone is served a JWT token say… 6 months ago (and I’ve set the expiry of it to say… 5 minutes) they can checkSession and get a fresh one today; that’s not secure at all.
Using refreshToken is not an option here; and I can see no way to control parameters surrounding checkSession on auth0’s side – give it a valid JWT no matter how expired and it will spit out a new one.
Why can I not set how often the token can be refreshed, or the time limit before checkSession will say “no, you must log in again and get a fresh token” instead of “ah yes you have an expired, or soon to expire token, here’s a new fresh one.”
I must be missing something as this is wildly insecure, how do I implement this using auth0’s API and not universal login or anything like that.