I have a development tenant that I’m using to build out what will be going to production and I’ve noticed something I wanted to clarify before running into the issue later.
I’ve noticed that GET /.well-known/openid-configuration off a custom domain is only cached for 15 seconds.
HTTP/2 200
date: Mon, 15 Sep 2025 17:52:22 GMT
content-type: application/json; charset=utf-8
content-encoding: br
cf-ray: 97f9fa3b2be1e9e5-LAX
cf-cache-status: EXPIRED
access-control-allow-origin: *
cache-control: public, max-age=15, stale-while-revalidate=15, stale-if-error=86400
last-modified: Mon, 15 Sep 2025 17:52:22 GMT
strict-transport-security: max-age=31536000; includeSubDomains
vary: Accept-Encoding, Origin, Accept-Encoding
access-control-allow-credentials: false
access-control-expose-headers: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, Retry-After, DPoP-Nonce, WWW-Authenticate
x-auth0-l: 0.041
x-auth0-requestid: 7175fec565ed0872587f
x-cache-status: BYPASS
x-content-type-options: nosniff
x-ratelimit-limit: 300
x-ratelimit-remaining: 299
x-ratelimit-reset: 1757958803
server: cloudflare
alt-svc: h3=":443"; ma=86400
X-Firefox-Spdy: h2
In development this seems ideal as it:
- States that caching is applied
- Is low enough to expect rapid prototyping of changes to the OIDC configuration
Ideally this would be raised to something reasonable for production tagged tenants? I see no way this is configurable.
Thanks in advance for the confirmation.
Cheers,
Robby