This article talks about best practices to cache the JWKs returned from the jwks_uri endpoint. The benefit of caching these keys is to limit the number of calls and potential latency when local validation of the tokens is required.
- OpenID Connect/OAuth applications
- API Access Management
- JWKS endpoint
- Okta Classic Engine
To save the network round trip, cache the jwks_uri response locally following the directives in the standard HTTP Cache-Control headers.
When an authorization server has been configured to rotate key credentials automatically (recommended), it is a good idea to dynamically fetch the public keys from the JWKS endpoint (used to verify the signatures of tokens) and cache them.
To avoid verification failure when keys are automatically rotated, Okta recommends caching the keys returned from the jwks_uri based on the directives in the standard Cache Control headers included in the response. This will be the time to safely cache the keys. If the directive is no-cache, the keys should not be cached as they will be rotating soon.
