Closed dylex closed 2 years ago
The default keyring parameters are set up so that keys expire after 5 days so I'd guess it's related. You can change that if you wish or schedule a call to rotateKeys
. What are the clients trying to do when they "stop working"?
If you're using it in anger for anything then you should probably also use a larger RSA key size.
Thanks for the response. I'll try calling rotateKeys False
from a thread every 5 days.
The main client is https://www.mediawiki.org/wiki/Extension:OpenID_Connect and it's behaving as if it's not getting a json token back. After the user is redirected back with a successful auth, mediawiki's POST to /oauth/token seems to return a 500 (after it GETs openid-configuration).
I wouldn't say anger exactly but certainly in small-scale production. It was quite easy to set up (though just customizing the login html is a little copy-and-pasty).
A 500 sounds like a bug. Let me know if you get some more info and I'll take a look. Not sure when I'll have time to investigate myself. Are you using postgres?
Calling rotateKeys regularly seems to have fixed this problem.
This is more a question than an issue. We're running a server pretty much based on the example server (but with different authentication). After about 5 days, some clients seem to stop working until we restart one or both services, which seems to correspond to the default key TTL. Does
rotateKeys
need to be called manually every 5 days, or is some other process necessary? The docs just say the function exists in case you need to manually generate new ones, but the example only calls the function when it starts.