Just to circle back on this one as it’s been a couple of weeks. Currently the JWT that gets passed from the connect iframe through to the app has a 15 minute expiry window.
If a user permission changes within that window, then the access to the app can still persist for up to 15 minutes.
This is currently a known risk (albeit not an ideal one). A 15-minute expiry in terms of risk is quite low in terms of exploitation - the window is very small. It’s similar to other risks around session management and eventual consistency windows.
Ecosystem Security do want to review this risk in the future - but right now it’s not the highest risk review we have in our queue.
Once a JWT has passed its
exp, any requests with that token should have a 401 returned - so hopefully that should give some guidance on how long an Authorization cache can be reasonably held before there’s additional risk of permission changes.
I hope that helps!