Either the token is not expiring or I’m not understanding how an “expiration” works.
Using Postman, I first call /auth/credentials to login and obtain a token. This works. I then call a method /hello which is marked as [Authenticate] without supplying any credentials. I get a 200 so this works (Postman apparently using cookie from call to /auth/credentials). I then wait several minutes. I have ExpireTokensIn = TimeSpan.FromMinutes(1) in code. After 5 minutes I would expect a 401 when calling /hello but it continues to work, despite supposedly being expired.
My initial thought is that Postman is getting a refresh token but I think I debunked this after I locked the user account in the database and /hello continues to get a 200 despite the account being locked. So I would assume Postman is not able to refresh the token at this point.
Finally, calling /auth/logout logs me out and returns a 401 with a call to /hello. From that point on, I’m unable to get new credentials.
So how do I actually expire a Jwt Token?