One of the security issues with JWT is the refresh token used to generate a new JWT. Once an attacker gets access to the refresh token, he can use the it to generate as many tokens as he wants until the refresh token expires.

An improvement here is a feature of the process where every time you request a new JWT with a refresh token, you will not just return a new JWT but also a new refresh token and delete the old one in the database. This way even if someone steals the refresh token, he can only use it for the duration of the JWT lifetime which should be as short as possible anyway.

The JWTRefreshTokenBundle supports this feature since version 0.7.0 with the single_use flag.

gesdinet_jwt_refresh_token:
    single_use: true