Manual Key rotation

I must be doing something wrong here, but I can find no documentation indicating what.

I have an application with automatic key rotation enabled.
I fetch the metadata from domain/.well-known/openid-configuration and this indicates that the jwks endpoint is at domain/oauth2/v1/keys

the 2 kid’s returned from /keys are f4U… and fVd… This is constant in my tests.
Using the OIDC authorization code flow the token I retrieve from domain/oauth2/v1/token is signed with a kid of f4U…

At this point all is well. However if I switch the application to manual key rotation the returned token is signed with a different key YqI… the /keys end point does not change and is not returning that key.

My question is how can I enable manual key rotation and have the /keys endpoint still work? It’s also concerning that only the output if the /token endpoint changes. Switching key rotation back to automatic fixes things.

The /keys endpoint generally returns the keys used to sign tokens minted by the Org Authorization Server. If you are using manual key rotation for a specific client you will need to specify which client’s keys you want to fetch when making the call to the /keys endpoint- GET /oauth2/v1/keys?client_id=<your_client_id>.

Please note that the response from the /keys endpoint is eventually consistent, so if you generate a new key for the client you may need to wait a few minutes for that key to be returned. The new key will not be used to sign tokens until the client is explicitly configured to use it.


Switching to the default authorization server instead of the org one seems to work.

It is not intuitive than manual key rotation can’t be made to work. Having to provide query parameters the the key endpoint is not standard. I’m working with an application that only support generic OIDC.