Sounds like you are trying to prevent replay attacks.
How do you imagine JWTs are being stolen in the first place though? XSS sneaky websites or someone over the shoulder.
Just seems that if the attacker is all up in your browser extensions can't they just inject email and password text elements into the dom and see what gets filled by the browser saved logins?
Its not so much replay attacks I'm trying to solve for here ( although putting the instantiating user's IP address in the JWT seems like it would do a lot to thwart that )
I think the main thing here is preventing anyone from using my JWT who isn't on my browser.
Even if I'm on a site that leaks data via xss, and have several plugins that broadcast my cookies, localstorage, etc - and my live JWT and refresh tokens make it into the hands of bad guys; its worthless in the setup I'm proposing - I think...
How do you imagine JWTs are being stolen in the first place though? XSS sneaky websites or someone over the shoulder.
Just seems that if the attacker is all up in your browser extensions can't they just inject email and password text elements into the dom and see what gets filled by the browser saved logins?