DrDaveD
commented
3 years ago This document doesn't make any assumptions about the contents of the token so I don't think it's possible to determine how long it is usable. If an application knows that the token is a JWT it can decode it and look at the exp claim.
Determinations about the long term use of a token is application-dependent and probably doesn't belong in this document, I don't think. We could discuss recommendations for your questions, but this is probably not the right forum for it.
Could you add some section in the document how to handle usage of a token after discovery. If I find a token under a given path, how long is it usable as is? Is the assumption to reload the token for each request, reload the token file whenever it got modified. Is the assumption to refresh token inside the application or are file based token always refreshed by external third-party applications. If the token file disappears and I had loaded it, what I am supposed to do?