2g3k1 (2g3k1) asked a question.
We cache JSON Web Keys retrieved from Authorization servers and use cached keys to validate ID tokens. If the key id in the JWS header of the token is not found in the cache, we retrieve the keys again and refresh the cache. The expectation was that when the keys are rotated, a key with new id will be added, and encountering a token with this id would prompt the cache refresh. However, our validation started failing after the keys were rotated, and I wonder if it's because the key id remained the same, but the value changed. The documentation https://developer.okta.com/docs/guides/validate-access-tokens/java/overview/*validate-a-token doesn't talk about the need to check Cache-Control directives, although it mentions to retrieve the keys periodically, but that's not very specific. If the key ids change during the key rotation, then our code shouldn't have failed. So how does it work really work and what's the best course of actions to avoid failures after the key
Hi Renata,
Thank you for posting on our community portal.
When the rotation happens the ACTIVE Key becomes the EXPIRED Key, the NEXT Key becomes the ACTIVE Key, and the Authorization Server immediately begins using the new active Key to sign tokens.
As you can see in the response example from https://developer.okta.com/docs/reference/api/authorization-servers/#rotate-authorization-server-keys the new key has a different unique kid.
I suggest to open a Support Case in order to further troubleshoot.
Marian Cambei
Technical Support Engineer