Does Spring Security OIDC client support automatic JWK key rotation? If yes how to configure refresh frequency? The documentation states that "As the authorization server makes available new keys, Spring Security will automatically rotate the keys used to validate the JWT tokens.", but it doesn't provide information on how to configure refresh frequency.
Asked
Active
Viewed 792 times
1 Answers
0
Yes, Spring Security supports automatic JWK key rotation for OIDC clients. The functionality is contained in RemoteJWKSet (view source). Javadoc states:
Remote JSON Web Key (JWK) source specified by a JWK set URL. The retrieved JWK set is cached to minimise network calls. The cache is updated whenever the key selector tries to get a key with an unknown ID.
Configuring the refresh frequency has already been discussed in 60409678.
14241354
- 156
- 4