Managing the JSON Web Key cache
In Domino 14.0, the main server task manages and caches the configured OIDC Providers in the IDP Catalog database and their trusted JSON Web Keys (JWKs). These trusted JWKs are used to cryptographically verify the JWTs used for HTTP Bearer Authentication and Web Login with OIDC. This cached information can be used by all Domino server tasks, including C API programs using the SECValidateAccessToken SDK function.
About this task
In addition to loading configured OIDC Providers' published endpoints and JWKs when the HTTP task starts and restarts, the server task checks the cache for needed updates every minute. JWK expiration times are returned by providers in their cache-control response headers and are refreshed 10 minutes before they expire. Providers that do not return cache-control headers are refreshed every 30 minutes by default.
The JWK cache management thread also checks the cache for JWKs that expired over 24 hours ago every 12 hours and removes them to prevent the cache from growing out of control.
Procedure
Setting | Description |
---|---|
OIDC_PROVIDER_CACHE_ADVANCE_RENEWAL=10*60 | Providers updated 10 minutes before expiration |
OIDC_PROVIDER_CACHE_DEFAULT_EXPIRATION=30*60 | Providers without Max-age update every 30 minutes by default |
OIDC_JWK_CACHE_PURGE_INTERVAL=12*60*60 | Purge long-expired JWKs every 12 hours by default |
OIDC_JWK_CACHE_PURGE_EXPIRED_SEC=24*60*60 |
Purge only JWKs that expired more than 24 hours ago |
Setting | Description |
---|---|
DEBUG_OIDC_CACHE = (0,1,2,3,4,5,6) | Applies to the OIDC Provider cache and the SECValidateAccessToken SDK routine |