jwks should handle rotated keys

[davidcorrigan714]

The jwks list doesn't appear to provide any mechanism for periodic refreshing or rediscovery for missing keys. OIDC providers may rotate keys at any time so they should be periodically reloaded or requery the issuer if the kid isn't found. Microsoft has some good guidance on the matter though making some of the parameters dynamic would probably be a good idea to support a wide range of IdPs:

General considerations:
The service validating tokens should have a cache capable of storing many distinct keys (10-1000).
The keys should be cached individually, using the key ID (“kid” in the OIDC keys metadata specification) as a cache key.
The time-to-live of keys in the cache should be configured to 24 hours, with refreshes happening every hour. This makes sure the system can respond quickly to keys being removed, but has enough cache duration to not be affected by problems in fetching keys.
The keys should be refreshed:
Once on process startup or when cache is empty
Periodically (recommended every 1 hour) as a background job
Dynamically if a received token was signed with an unknown key (unknown kid or tid in the header)

[kilork]

Hi, thanks for this summarized information. There is open issue about the same topic I think #28