Problem statement
When making requests to /.well-known/openid-configuration and /.well-known/jwks.json endpoints 401 errors are frequently observed. The AWS API Gateway is used.
It seems similar to this issue reported in the Auth0 Community - Intermittent “OIDC discovery endpoint communication error” when using JWT Authorizer with AWS HTTP API.
Cause
This is a known issue that can be caused by a couple of factors including intermittent network issues resulting in slow cache responses on our Network Edge mixed with an apparent hard limit of 1500 milliseconds timeout imposed by AWS for these kinds of requests. See Amazon API Gateway quotas and important notes.
Solution
The following are some solutions to minimize these errors.
- Cache these endpoints and reduce the number of requests to the /.well-known/* endpoints. This is recommended in the following docs.
- Configure JWT Authorizers to cache public keys for up to two hours at a time Refer to #3 in Controlling access to HTTP APIs with JWT authorizers