Auth0 Home Blog Docs

Will public key from JWKS go invalid

jwks
jwt-validation
python

#1

I have set RS256 algorithm to be used to encode/decode JWT token. This involves make request for JWKS to Auth0 to validate and decode JWT token. To avoid make request every time I cached the public key for the first time and use it for further validation/decode.

Now I’m trying to implement that whenever public key is invalid then make request to Auth0 to get new public key. I don’t know what would be the error case when public key become invaild. Or will the public key go invalid at any point of time?

Note: I store the public key in cache forever


#2

Anyone knows the answer?
Does Auth0 ever invalidate JWKS keys? Are there anyway I as an Auth0 user can invalidate them?


#3

@thirupathir and @sihoang the JWKS endpoint signing keys expire something like every 20 years or so. Currently there is no feature for self-service recycling. However, the way JWKS works is the inbound JWT will have a head with a kid property. That kid is the key identifier for a certificate. If you have cached the cert associated with the kid and it expires you could fetch the JWKS again, but it is likely that key wouldn’t exist due to it being expired. If a new certificate was used for signing you’d get a new kid in the JWT which would exist in the JWKS endpoint and not exist in your cache causing your service to fetch the new kid/cert. So the default behavior here would likely just work with you caching strategy, because the key would be the kid and the value would be the public certificate key.


#4

The kid we were seeing in the JWT has disappeared from the well known keys file, however, Auth0 is still sending it in the kid field of the token, and we can’t look up the key now… so we’re all locked out. It sucks.