JWT token Authentication kills SQL session on token expiry

[data-matt]

Is your feature request related to a problem? Please describe. We believe that the SQL session will remain open, even after the JWT token has expired.

Describe the solution you'd like CockroachDB reads the JWT token expiry from the token, realises the JWT token will expire at X time and kills the session on expiry.

Describe alternatives you've considered Killing sessions manually.

Additional context Add any other context or screenshots about the feature request here.

Jira issue: CRDB-28656

Epic CRDB-39964

[bdarnell]

1. This should be optional (and, I think, off by default?). Some users may want to use short-lived tokens to authenticate relatively long-lived sessions.
2. Consider doing this for all applicable authentication methods, not just JWTs. Certificates have expiration in the same way. Conversely, for passwords we generally don't want to invalidate existing sessions on password change because a SQL user can only have one password at a time (compared to multiple certs or JWTs with overlapping validity), so we must allow password-authenticated sessions to outlive the password to allow password changes without downtime.
3. Given this, I wonder if a global max-session-lifetime setting would be more appropriate than something that more closely ties the duration to the token expiration. If all sessions expire, say, every 15 minutes, and must re-authenticate, we'd bound the amount of time that a session authenticated by an expired token could be used, and this would work just as well for password changes.
4. I think the desired behavior is probably not "kill the session and cancel any ongoing statement" but "accept no new statements for this session and terminate it after the current command completes". This is important so that you don't necessarily have to issue a long-lived JWT in order to perform long-running operations like schema changes.