JWT token refresh: To maintain the session open for the configured amount of time, the expiration date of the JWT token must be extended with every interaction with SonarCloud. Unfortunately, a JWT token is immutable. The only way to allow the session to go on for the configured amount of time starting from now is therefore to replace the user's JWT token with a new one with an extended expiration date.
This is achieved through a "token refresh", hardcoded to occur every 5 minutes. However, after 5 minutes the token is refreshed every HTTP request, generating tons of new tokens. See dogfood thread for details.
The date against code compare to decide whether token should be refreshed is incorrect: it's always the creation date of the first JWT token generated when user authenticated.
The reason for this is in method `refreshToken` here:
This method sends a "refreshed" token to the user. The new token is created from the current one (content of the token is represented by the `Claims` object).
The new token String value is created by method `jwtSerializer.refresh`. This method will update the expiration date of the token but not the "lastRefreshTime" field, resulting in this field keeping the same value forever.