...
Sidecars must be aware of the new signing keys. This will be done automatically by calling “/protocol/openid-connect/certs“ once again if it receives a token with a new signing key id. But it will be done only once per hour, as currently there is a line: jwtAuthContextInfo.setForcedJwksRefreshInterval($KC_FORCED_JWKS_REFRESH_INTERVAL); which means that forced refresh (if the key is not found) will be performed only once per specified value in minutes (by default it is one hour).
This logic is provided with by the following librarylibraries:
| Code Block |
|---|
private final int jwksRefreshInterval = ${value from `KC_JWKS_REFRESH_INTERVAL`};
private final int forcedJwksRefreshInterval = ${value from `KC_FORCED_JWKS_REFRESH_INTERVAL`};
var jwtAuthContextInfo = new JWTAuthContextInfo(issuerUri + "/protocol/openid-connect/certs", issuerUri);
jwtAuthContextInfo.setForcedJwksRefreshInterval(this.jwksRefreshInterval);
jwtAuthContextInfo.setJwksRefreshInterval(this.forcedJwksRefreshInterval);
var jwtParser = new DefaultJWTParser(jwtAuthContextInfo);
tokenParsers.put(issuerUri, jwtParser);
return jwtParser; |
...