0

Is it a common/useful practice to keep a copy of the public key used to validate each jwt token on every request to avoid fetching it every time from the authorization server ?

Is it an available option when using Spring Security ? or is there an implicit cache of the public key ?

Tristan
  • 8,733
  • 7
  • 48
  • 96

1 Answers1

1

It is common practice and useful to keep a copy of JWKs that have been pulled from a JWKs URI and use the cached copy for performance reasons.

In fact the JWK spec has been setup in such a way that it recommends this practice by virtue of adding a kid (or: Key Identifier) claim to the JWK and the tokens.

Whenever a signing key is updated/rolled-over, the Sender would update the kid in the JWKs and the signed tokens so that the Receiver would notice that the new kid is not available in the cache yet, thus pull the updated JWKs again from the JWKs URI.

Hans Z.
  • 50,496
  • 12
  • 102
  • 115
  • Ok, thank you for this detailed answer. Would you know if Spring security applies this strategy by default ? It looks like the only parameter is "jwk-set-uri" – Tristan Jan 20 '23 at 17:06
  • Oh ok, I've found the answer, there is actually a default cache with a 5 min duration : https://stackoverflow.com/questions/60409678/how-to-increase-remotejwkset-cache-ttl-in-spring-security-5-2 – Tristan Jan 20 '23 at 17:09