Extend JWK rotation
Vorimo opened this issue · 1 comments
Vorimo commented
Currently key rotation is based on a config boolean: rotateJWKs + HTTP Cache header value: maxAge.
The problem: if an IdP (KeyCloak) doesn't return the HTTP header we don't really rotate. Perhaps we should make the config a long type, where -1 means false and a positive value should become a default value when the header is not present:
Oauth2AuthProviderImpl.java:130
We should not remove the old config property but deprecate it as it would break existing code, and make it a synthetic value from the new defaultRotateJWKsTimeout in millis.