It seems like that is the case on first glance, but further investigation of the code shows otherwise. The cache_get function does not return anything if the value is expired, but then the calling code treats that as a cache miss, and re-verifies the token. For a UUID token, this would mean going back to the server, and thus get a status of "Invalid." However, with PKI tokens, it just reruns the validation code in process which was not checking the expiration time. So the original cache validation is not effective in checking token expiration.
It seems like that is the case on first glance, but further investigation of the code shows otherwise. The cache_get function does not return anything if the value is expired, but then the calling code treats that as a cache miss, and re-verifies the token. For a UUID token, this would mean going back to the server, and thus get a status of "Invalid." However, with PKI tokens, it just reruns the validation code in process which was not checking the expiration time. So the original cache validation is not effective in checking token expiration.