[jayd16]

Why doesn't the same argument apply when looking at other services? Can't they still do a lot of damage in that 5-10 minutes against those services?

[ehutch79]

You're not wrong.

I replied to a sibling comment. What I do is use the JWT from oauth or whatever sso, verify it, and log the user in as normal. Using the JWT as a replacement for a username/password.

I can invalidate the session or block the user as normal.