This looks good, but what happens if I set the cache to an hour and the signing key happens to rotate within that hour? The validations will fail until the cache gets updated, correct? Maybe I'm missing something.

Ideally, Okta would leave the expiring key in their signing key URL payload for a while until all issued tokens have been expired. I suspect they do this, but you may need to confirm that. The verifier will check the key id provided by the JWT claim and use the matching key from the key set to attempt to verify the claim.

Correct. Okta will keep the old signing keys in their payload, at least until all JWT signed with that old key have expired, and probably well beyond that expiry. I don't work for Okta, so my word is not authoritative on this, but this is standard practice and Okta are a solid company so this is something we should confidently expect.

what happens if I set the cache to an hour and the signing key happens to rotate within that hour?

You should set the cache TTL to a value that is less than or equal to the expected JWT token lifetime for tokens issued by that issuer. If the token issuer is Okta and Okta issues tokens with a 30-minute lifetime, then you can safely use a 30 minute cache TTL. If you want an extra margin of safety, you can use 15 minutes.

BTW, coming soon, the VerifyJWT will accept a JWKS URI and will do all the lookup and caching for you, automatically. There will be no need for LookupCache >> ServiceCallout >> PopulateCache