This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

VerifyJWT JWKS Uri Caching

Posted on 03-24-2021 07:35 AM
bullenjohnmicha
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I'm planning to use the VerifyJWT policy and use the uri for caching of the JWKS. I haven't seen how caching is implemented except for the fact that the cache retains the JWKS for 300 seconds.

How does it behave if it encounters an unknown kid in the JWT header? Would it immediately fetch the JWKS and refresh the cache?

Solved Solved
0 2 1,106
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Nope, the cache management is fairly simple. It does not cache based on kid. It caches the entire JWKS using the JWKS URI as the cache key.

The assumptions behind the JWKS cache is

  • JWKS content is small
  • keys change slowly
  • new keys get added to the JWKS before there are JWT signed with those keys
  • old keys get removed only AFTER the expiration of the last JWT signed with that key

If you have the case in which you are introducing a new key, signing JWT with that new key, and updating the JWKS endpoint all within 5 minutes, then the cache assumptions won't hold.

To avoid this

  1. add new keys to the JWKS before you begin using the keys
  2. remove old keys from your JWKS lazily

There is an outstanding feature request to allow the caching to respect the HTTP caching headers. That seems reasonable. The practical effect of that will most likely be to have a LONGER TTL for the cached JWKS.

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Nope, the cache management is fairly simple. It does not cache based on kid. It caches the entire JWKS using the JWKS URI as the cache key.

The assumptions behind the JWKS cache is

  • JWKS content is small
  • keys change slowly
  • new keys get added to the JWKS before there are JWT signed with those keys
  • old keys get removed only AFTER the expiration of the last JWT signed with that key

If you have the case in which you are introducing a new key, signing JWT with that new key, and updating the JWKS endpoint all within 5 minutes, then the cache assumptions won't hold.

To avoid this

  1. add new keys to the JWKS before you begin using the keys
  2. remove old keys from your JWKS lazily

There is an outstanding feature request to allow the caching to respect the HTTP caching headers. That seems reasonable. The practical effect of that will most likely be to have a LONGER TTL for the cached JWKS.

Jump to Solution

Posted on --/--/---- --:-- AM
bullenjohnmicha
Bronze 2
Bronze 2
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thank you @dchiesa1 !

Jump to Solution