Managing the JSON Web Key cache
A thread in the HTTP server task manages JSON Web Keys (JWKs), fetching and refreshing them from configured OIDC providers. These trusted JWKs are used to cryptographically verify the JWTs used for HTTP Bearer Authentication and OIDC-based SSO.
About this task
In addition to loading JWKs from each configured OIDC provider's jwks_uri endpoint when the HTTP task starts and restarts, the JWK cache management thread tracks the JWK expiration time returned by providers in their cache-control response headers and refreshes providers' JWKs before they expire. Providers that do not return cache-control headers are refreshed every 15 minutes by default.
The JWK cache management thread also checks the cache for long-expired JWKs and removes them to prevent the cache from growing out of control.
Procedure
Setting | Description |
---|---|
OIDC_PROVIDER_CACHE_POLLING_INTERVAL=30 | Thread polls for actions every 30 seconds |
OIDC_PROVIDER_CACHE_ADVANCE_RENEWAL=60 | Thread updates Providers 60 seconds before expiration |
OIDC_PROVIDER_CACHE_DEFAULT_EXPIRATION=15*60 | Providers without Max-age update every 15 minutes by default |
OIDC_JWK_CACHE_PURGE_INTERVAL=12*60*60 | Purge long-expired JWKs every 12 hours by default |
OIDC_JWK_CACHE_PURGE_EXPIRED_SEC=24*60*60 | Purge only JWKs that expired more than 24 hours ago |