I’m writing an API that is authenticated with an Auth0 access token. That’s pretty simple and is working fine - including automatically fetching the JKS from the .well-known URL to ensure the token is correct.
What I’m not sure about is validity. The cache control headers say something like 15 seconds, which is obviously not correct. But equally I don’t want to be making an HTTP call to Auth0 for every incoming call that I’m authorising because that’s just expensive.
Is there a standard duration that the JKS is valid for? Or do I really need to refetch it on every token (obeying the cache settings obviously)
Auth0 recommends caching the JWKS result and avoid hitting the JWKS endpoint unnecessarily. It will help improve your application performance and avoid you hitting Auth0 rate limits.
You will want to make sure that if decoding a token fails, invalidate the cache and retrieve new signing keys before trying only one more time.
I know that it’s recommended to cache the keys. What I couldn’t find is how long for.
I think that’s because, on re-reading it, there is no time limit. Instead they seem to be suggesting to cache them until they stop working, and only then to re-request new ones. That’s a bit awkward but it’s also the safest with the least network traffic.