Ignore token expiration on keycloak spring security adapter

Question

Considering the scenario:

1. API Gateway validates an JWT token issued by keycloak. It does all the validations, expiration date included.
2. The token is then forwarded to the target application.
3. That target application validates the token again, using the keycloak spring security adapter.
4. The application can process the request and eventually forward this token to another internal services, that will do the same validation.

However during the lifespan of this request the token can expire.

My questions are:

1. Would it be safe to, given the token was alredy validated on the API gateway, to ignore the token expiration date?
2. If the answer to 1 is yes, is there a way to configure the spring security adapter to ignore the expiration date?
3. If the answer to 1 is no, is there a standard way to handle this scenario where the token expires during the lifespan of a request?

Answer 1

No token expiration date is there for security reasons.

If someone steals a token which has no expiration date that token will be able to be used forever. This can be extremely dangerous. Especially if the token is valuable.

If a token has expired, the token should be refreshed and then you can request again.

Answer 2

I would say your frontend should manage valid token state properly. Good auth libs have config where you can define when before token expiration is token refreshed. So it should be configured in that way that token won't be never expired on the backend side.