JWK keys are updated only after a certain interval (20 mins default) have passed. If the oauth server issues a token with a new ‘kid’ it cannot be used until the refresh interval expires and keys are fetched again. This behaviour is undesirable as the server should be able to rotate the keys at any time. Ideally along with the refresh interval if a token is encountered whose kid is not in the cache it should be fetched from JWK endpoint.
Is there a workaround to this? Can I write a filter to replace the RequestAuthentication and do JWT validation. Setting the meta data required by AuthorizationPolicy? So I can still leverage authorization policy resource?
1 Like
Were you able to find a solution for this?