I want to invalidate the JWT on the server side automatically after the user being inactive for 30 mins.
I know how to set a validity period for a JWT, but this will invalidate the token whether the user is active or not.
So I ONLY want to invalidate the token if the user is not active for 30 minutes.
Framework: Spring
A JWT Token is valid from the period it is issued by the token issuer (the iat claim) until it expires (the exp claim).
In a distributed system, where there is a token issuer (the authorization server) and an application that accepts tokens (the resource server), the resource server determines if the token has expired by ensuring that the token is within the valid period - the range between the iat and exp claims.
If you wanted a way to force a token to be revoked and should no longer be accepted, even within it's valid date range, you are putting a dependency on the resource servers to have to check a token revocation list to get the status of the token. Whilst there are ways that it can be achieved, and this thread goes into details - How can I revoke a JWT token?, it's generally thought the overhead for managing this reliably is more trouble then it's worth and a better solution is to use short lived tokens, e.g. 10 mins (or whatever works for you), and have your application that requires a token to access the resource server generate a new token shortly before the expiry time.
