Skip to content

Caching according to Okta guidance #5

Description

@REASY

When an authorization server has been configured to rotate key credentials automatically, it is recommended to cache and dynamically fetch the public keys used to verify the signatures of tokens (returned in the JSON Web Key Store when calling the jwks_uri) received from the authorization server.

To avoid verification failure when keys are automatically rotated, Okta recommends the following:

  1. Cache the JSON Web Key Set (JWKS) indefinitely.
  2. When a token presents a 'kid' that is not recognized by the cache, the jwks_uri should be re-requested and re-cached.
  3. As an alternative to Step 2 above, another approach is to request the jwks_uri once per month. If there is a 'kid' mismatch, recache the keys.

Source: What is the recommended approach to take when caching the Okta JSON Web Keys Set(JWKS) for OAuth?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions