トークンに有効期限を設定できるようになって欲しい

[KisaragiEffective]

Summary

一度きりのPlayなど、short-livedなユースケースで発行したトークンを使い終わった後に手動で失効させるのは忘れるリスクがあります。
現時点で被害にあったというわけではないですが…

Purpose

同上

Do you want to implement this feature yourself?

• Yes, I will implement this by myself and send a pull request

[Sayamame-beans]

strongly related: #10911

[eternal-flame-AD]

My JWT proposal already has this feature:

#15570 (comment)

[KisaragiEffective]

JWTにしたら解決できるのはそうですが、そこに至るまでの道筋が長そうなので切り分けて考えてもいいかなという気持ちです

[eternal-flame-AD]

I think it is good to have an interim solution too, but at the end of the day I think since JWT has official support for token expiration (actually most JWT libraries handle checking for us if we put the timestamp in exp) we should eventually converge to use one solution.

[eternal-flame-AD]

My hope was we can use meta:legacy policy I proposed to get a mostly drop in replacement for the current token, and gradually phase it out by dropping acceptance for tokens with meta:legacy policy as we implement more concrete features (sudo, SSO, more granular policy, etc)..

This way we can coordinate frontend adoption better as frontend-side we would be able to incrementally implement JWT token info handling instead of having to implement all at once.