It would be useful to be able to extend the exp value in the JWT so this can be increased as a user continues to work within the application (I'm thinking of WebCore apps in particular).
Obviously this will need to be done on the server and then returned as part of any response. This could be a header field and TSphinxLogin have a OnCheckForNewJWT method.
I am new to TMS products and am working on a simple game for starters. I was considering game scenarios where it would be desirable for active players in certain game sessions, beyond some "normal" playtime activity, could have their exp values extended.
These features should be solved with a Refresh Token, won't it?
In any case, when is it "enough", I mean, for how long will users be able to extend their JWT? This is a dangerous area, if they can extend it forever, won't this be a security issue for your apps?
I think that an updated JWT can be returned in the header in response to a request and that there would be a way to consume this in the webcore app (I did try this a while back but it wasn't successful). It is then up to the developer to decide whether to issue an updated JWT or not. So slightly different to a refresh token.
Is there any standard for that behavior? We are trying to 100% follow standards here, in security we should not reinvent (or invent) the wheel at all.