Probably makes sense to respect the HTTP cache headers from the metadata URL.
The AS should probably also have its own min/max cache lifetime policy. Not sure if we want to recommend something explicit here though since it might depend on the particular deployment.
https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html#name-metadata-caching
Probably makes sense to respect the HTTP cache headers from the metadata URL.
The AS should probably also have its own min/max cache lifetime policy. Not sure if we want to recommend something explicit here though since it might depend on the particular deployment.