Using JSON Web Tokens (JWTs) to secure your APIs has become an ad-hoc standard in the IT-industry. However, the underlying concepts and mechanisms can be complex and are often misunderstood.
...
A "self contained" JWT can not be revoked until it expires. Consider using referenced tokens if the token provides access to sensitive or high-risk data.
Access Tokens should have a life-time that is as short as possible - as a general principle the life-time should be shorter the more sensitive data an API exposes (TODO: forbedre setningen)
To enhance the user experience sessions with a long life-span should be combined with Access Tokens that have short life-span. You can acheive this by using refresh tokens on the client.
...
DO NOT BLINDLY TRUST THE VALUE IN CLAIMS
Examples:
“kid” - do not perform certificate requests before the values are validated and verified
“jku” or “x5u” are header values that point to a URL. Do NOT follow these URLs before they are validated in order to avoid SSRF attacks