This cache control leads me to believe that I should be re-fetching the jwks every 15 seconds in order to obey the caching behavior sent back from the endpoint.
However, fetching every 15 seconds seems excessive. Other posts on the forum recommends hours between fetching.
Why don’t the cache control headers contain data that aligns with the recommendations form support here?
There isn’t an exact number of seconds you need to cache the JWKs, as stated in this post:
JWKs will return the same set of keys most of the time, so you can just cache them and keep using them and if they get denied you can request them again.
If you have any other question feel free to reach out.
Hey Vlad, thanks for the context. Can you elaborate on what you mean by denied? Are you suggesting that any time I attempt to authorize a token using the public keys, and they fail, I should attempt to re-fetch the public keys and try again?
Yes you should refetch the public keys and try again. The signing keys can be found in your tenants settings. They need to be refetched only if they get revoked.
Yes, you will receive different error messages based on the reason.
For authorization token It might be something like:
UnauthorizedError: No authorization token was found
or UnauthorizedError: Authorization token in invalid
For the JWKS it’s JsonWebTokenError, JsonWebKeySetsError or jwks Failure: Error: followed by the reason. It can either be Invalid certificate or Invalid signing key.