Feature: Add exp to generated user JWTs

[fullykubed]

Great plugin!

We'd like to use it to generate temporary credentials for our NATS clusters.

Unfortunately, the JWTs generated by this function do not have the exp set so they are essentially perpetual.

It looks like exp support is already present and just requires being added similar to iss here.

[fullykubed]

Additionally, the expiration time should be checked in the refresh loop so that the stored JWT can be updated before it expires:

vault-plugin-secrets-nats/backend.go

Line 282 in 86002ee

if jwtMissing || nkeyMissing {

.

It seems like it would be good to refresh it when it is >= 50% of the way between iat and exp.

[siredmar]

You are right. Thanks for reporting this! Token expiration is not implemented as this has not been a use case for us yet.

Since I'm no longer working full time on all these projects, I'll look into this issue when I have some time.

PRs are very welcome though :)

[fullykubed]

@siredmar Thanks for the confirmation.

We ended up not going with this plugin, otherwise would be happy to add the PR.

For our use case, we didn't need multi-tenancy, just dynamic credentials, and we were able to just use mTLS NATS auth with the Vault PKI backend.