I would like to reopen the issue #12830 which is closed with denial. About the comment from the original issue
I'm not clear on whether it is common to have the Resource Server cache JWT validation results. Further, since it is not part of the OAuth spec, I think it would be important to gather more evidence that this practice is quite common. Even if it is quite common, I believe further evidence would be needed to demonstrate that the performance benefits outweigh the security implications before adding such a component to Spring Security.
Performance sensitive applications caches various of data to provide low-latency APIs. In micro service architecture, there might be tons of API calls between the server (machine) and sometimes the authorization and authentication is provided OAuth2. Regarding security implication without any revocation mechanism, validating same JWT token (access token) multiple times from the same clients does not sacrifice much about the security. You might say that it would introduce some chances for hackers to modify and add invalid (or unverified) tokens to the cache so that they can bypass OAuth2 JWT token validation. But, I'm thinking it's not so critical and that's the policy of the resource server and resource server can take the own risk.
For your information, there are cases to introduce such cache mechanism.
I suggest that keep opening this ticket to gather more feedbacks or requests.
Comment From: jzheaux
@Kieun, thanks for the extra information. Will you please place this information in https://github.com/spring-projects/spring-security/issues/12830? I'm going to close this as a duplicate.
Comment From: Kieun
@jzheaux I added this information to the original issue. You can close this.