JWT Token Claim Validation after it has been granted
Scenario: A user logs-in to a web application and receives a JWT Token. The Token Service looks up user roles and adds them to the JWT Claims and all necessary signatures to the token.
When the receiving application receives the token, it has the necessary keys to authenticate and decrypt the token.
Question: As a best practice, should the receiving application also call back the "User Services" to check user still have those roles or should it just assume the content of token as the source of truth until the token expires?
What are the best practices in this regard. Should receiving application always call User Service to validate if claims are still true at that point in time or it really depends on the kind of the application you are building. For example, if you have given long term tokens, then maybe it is better to check invalidate the token.
