Before reporting an issue

[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

oidc

Describe the bug

Currently when the clients are configured to authenticate using a JWT token (Signed JWT or Signed JWT with Client Secret) the token can only be used once (it is not reusable) but in all the valid period defined in the token itself (iat, nbf and exp claims are used to detect the token is valid). The client can use a very long period of expiration (for example hours or even days) and this can be problematic for keycloak because it's outside the server control. For example someone can generate a token stealthily and the token is valid for a very long time. Besides long expiration periods also stress keycloak in the single use cache (the token should be stored there for a very long time).

Better enforce a small expiration for tokens. This way although the token can have any expiration defined inside it, keycloak will only allow the authentication if the token is sent just after being issued (a little window of 1 minute, for example). After that time the token will be rejected.

Version

26.1.4

Regression

[ ] The issue is a regression

Expected behavior

JWT tokens for client authentication will only be allowed to be used in a small window after being issued.

Actual behavior

The expiration inside the token is trusted.

How to Reproduce?

See description.

Anything else?

No response