7.X Stateless tokens and key rotation

[sakimura]

There has been a case where the signing key for the stateless JWT based access token was stolen and used by attacker to mint new access tokens. Since the token was stateless, meaning the resource servers verified the signature of the access token and if it was successful, the access token was accepted. This lead the attacker to be able to access resources at their will for an extended period as the signing key was not rotated.

If such tokens are to be used, then the signing key MUST be rotated periodically to limit the exposed period.

Also, the authorization server SHOULD keep track of the tokens issued and return error when a token that it did not issue with a valid signature was submitted to the token introspection endpoint.