When an authorization server has been configured to rotate key credentials automatically, it is recommended to cache and dynamically fetch the public keys used to verify the signatures of tokens (returned in the JSON Web Key Store when calling the jwks_uri) received from the authorization server.
To avoid verification failure when keys are automatically rotated, Okta recommends the following:
- Cache the JSON Web Key Set (JWKS) indefinitely.
- When a token presents a 'kid' that is not recognized by the cache, the jwks_uri should be re-requested and re-cached.
- As an alternative to Step 2 above, another approach is to request the jwks_uri once per month. If there is a 'kid' mismatch, recache the keys.
Source: What is the recommended approach to take when caching the Okta JSON Web Keys Set(JWKS) for OAuth?
When an authorization server has been configured to rotate key credentials automatically, it is recommended to cache and dynamically fetch the public keys used to verify the signatures of tokens (returned in the JSON Web Key Store when calling the jwks_uri) received from the authorization server.
To avoid verification failure when keys are automatically rotated, Okta recommends the following:
Source: What is the recommended approach to take when caching the Okta JSON Web Keys Set(JWKS) for OAuth?