Handling expiry/“remember me” functionality with JWT

Question

Conceptually, I really like JWT as it is in line with the statelessness of REST etc (no state saved server-side, all relevant data is contained in the token).

What I am

Answer 1

I can think of one way, but it is not really defined the standard.

What about adding another kind of expiration date with different lifespan to the claims? With two claims, we can treat the shorter one of it as the resource access expiration date, and the longer one as the refresh expiration date, e.g.

{
    "iat": /* current time */,
    "bbf": /* current time + 1 hour -- expired means no resource access */
    "exp": /* current time + 1 week -- expired means cannot refresh */
}

(Note: I use bbf for the shorter expiration date. No specific reason, just because it has 3 characters in length.)

So with "remember me" checked, when the user reconnects, he can use the same token to request for a new one, but not to access the resource. With this, all relevant data is contained within the token -- no extra token required.

And lastly, when "remember me" not checked, just use the same lifespan for bbf and exp.