The AuthN server should be able to rotate keys. This means keeping old keys around long enough to verify existing JWTs while signing new JWTs with the new key. The trick will be figuring out an appropriate waiting period for refresh tokens.
Ahh, correction: the refresh tokens are (and should continue to be) secured separately. So really, key rotation can happen at some interval based on access token lifespans.
The AuthN server should be able to rotate keys. This means keeping old keys around long enough to verify existing JWTs while signing new JWTs with the new key. The trick will be figuring out an appropriate waiting period for refresh tokens.
Also see: http://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys