Implement infrastructure to verify jti claims

[paullatzelsperger]

Feature Request

Related to the refactoring of how tokens are handled in EDC (#3743) we need a way to validate jti claims. jti claims are supposed to be random strings with a good-as-zero possibility to be repeated within a reasonable amount of time.

Thus, the recipient of a JWT must record every jti claim value until at least time specified by the exp claim and reject an incoming JWT if it carries a "known" jti.

After that time, jti claims could theoretically be re-used because any prior token carrying the same jti have already expired and wouldn't be valid anyway.

Which Areas Would Be Affected?

identity services, token validation rules

Why Is the Feature Desired?

guarding against replay attacks

Solution Proposal

1. persistent storage for jti claims: This could actually be a generic implementation, something like a TemporaryValueStorage, which records arbitrary values plus the start and end of their validity periods.
2. both an In-Mem and a Postgres implementation
3. an aggregate service: uses the TemporaryValueStorage to CRUD jti values
4. a reaper thread running inside the service that cleans out expired entries from the storage