Closed jaxoncreed closed 3 years ago
I think RS could track exp claim on access tokens signed with given key and extend caching that key based on that exp date. IdP should not remove key as long as valid tokens exist signed by that key so caching it based on exp claim in tokens signed by that key seems reasonable.
Caching should not be a problem. In fact, it should be encouraged.
That said, there are better and worse ways to handle cache invalidation. When an IdP key is rotated, it is important that the new key has a new (unique) identifier in the kid
field. This way, if the incoming JWT has a kid
value that is not present in the cached JWKS, the resource server can attempt to refresh the cached JWKS data; otherwise, if the kid
value is already present in the cache, it can simply use the cached value.
This issue has been in the can-be-closed?
state for over a month with no objections.
I might be wrong about this, but wouldn't recommending the caching of public keys as stated here:
Be an anti-pattern as it would be recommended that IdPs rotate their keys frequently?