Detect when JWK keys are rotated

I have an authorization server with “Signing Key Rotation” set to Automatic and in my code, I have cached the key so that I am not fetching it every time I need to decode an access token. However, how do I know when to re-fetch the key and update my cache? My understanding is that once the key is rotated, then my cache key will stop working and I will get “InvalidSignatureError” exception. I can catch this exception and update my cache key but that is a very generic exception as that exception is raised if someone sends a bad token so if I may end up updating my cache far too often unnecessarily. Is there another way to find out that the authorization server has rotated the keys?

Typically, we recommend that you do just as you’re doing now: caching the keys and waiting until you are sent a token with a ‘kid’ you don’t recognize before you cache them again.

Are the InvalidSignatureErrors you see all caused by the ‘kid’ value not matching, or is a different verification issue causing this failure?

Something else you could do is use the Authorization Servers API endpoint to find out when the keys were last rotated and when they will rotated next.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.