...
Currently, the JWT access token has a 10 hour lifetime, but it should have a maximum lifetime of 1 hour (matching the current lifetime of JWT cookie). Tim McCormack notes that JWTs should probably have a max of 15 minutes in all cases, rather than 1 hour, but that is a separate potential discussion.
Private ticket for this work: https://2u-internal.atlassian.net/browse/ARCHBOM-2099
Password Grant Check
For the currently proposed 1st-party token exchange for session login using JWTs, we would need an equivalent check for _is_grant_password to not expand permissiveness of the endpoint.
...