Improve Security of JWT tokens used in Service Accounts

[neosab]

Feature Request

Detailed Description

Reinforce security of the system

1. Verify/Mandate "aud" (audience) claim. Ensures the token was issued for a specific Dispatch deployment. Although we recommend services to use a different key-pair when interacting with multiple dispatch deployment, it's best to add this extra layer of security to ensure the same token is not re-used against different dispatch deployments.

2. Verify the duration of the token's validity. It's possible the client can issue a long-lived token which could compromise the security of the system. Currently, CLI creates a token with exp time of 1hr.

3. The server should issue a JWT token after authenticating the client presented token is validated. This ensures the server controls the expiration of a token and avoids the db lookup time involved every time a client token is presented.

4. Add a domain to represent a service account e.g [email protected]. This is partially done but we should mandate it. This ensures that we are enforcing policies for a service account and also avoids clashes with OIDC user accounts.

Context

Possible Implementation

Complexity

• [ ] Low - Simple enhancement or bug fix, no architectural changes or refactoring
• [X] Medium - Change requires some thought, but is relatively isolated
• [ ] High - Significant architectural change or large refactor