For legacy reasons, we have to check the token validity/signature etc at each call.
In some cases, the call to /.well-known/openid-configuration is rejecting due to several calls at the same time.
I made something like this to reduce the number of calls:
That’s more or less what I implemented above but I was wondering if I need to put a validity date on the data retrieved from /.well-known/openid-configuration or will it always be the same ?
The data retrieved is certainly subject to change, but it shouldn’t be often at all - It really just depends on if you are making changes to your tenant that will affect this information. I would say fetching once a day or less should be sufficient. You could also look into configuring some logic to request when your app experiences a failure that could be related to this configuration.
This isn’t an exhaustive list but I might look out for token validation errors, authentication request issues, token refresh errors, userinfo endpoint access, response/grant type errors, etc. Basically anything that might fail as a result of changes made to the discovery endpoint. If your app begins experiencing unexpected issues, it might be due to the need to refresh discovery data you’ve cached. That being said, I’d expect changes to be infrequent under normal circumstances.