Managing the JSON Web Key cache - Need a Domino Consultant? Call NotesMail +1 212-599-2048- HCLSoftware Business Partner

SECURING

Managing the JSON Web Key cache
A thread in the HTTP server task manages JSON Web Keys (JWKs), fetching and refreshing them from configured OIDC providers. These trusted JWKs are used to cryptographically verify the JWTs used for HTTP Bearer Authentication and OIDC-based SSO.

About this task

In addition to loading JWKs from each configured OIDC provider's jwks_uri endpoint when the HTTP task starts and restarts, the JWK cache management thread tracks the JWK expiration time returned by providers in their cache-control response headers and refreshes providers' JWKs before they expire. Providers that do not return cache-control headers are refreshed every 15 minutes by default.

The JWK cache management thread also checks the cache for long-expired JWKs and removes them to prevent the cache from growing out of control.

Procedure

If you want change the timing of an action in the following table, edit the its NOTES.INI setting.

Table 1. Default settings

Setting	Description
OIDC_PROVIDER_CACHE_POLLING_INTERVAL=30	Thread polls for actions every 30 seconds
OIDC_PROVIDER_CACHE_ADVANCE_RENEWAL=60	Thread updates Providers 60 seconds before expiration
OIDC_PROVIDER_CACHE_DEFAULT_EXPIRATION=15*60	Providers without Max-age update every 15 minutes by default
OIDC_JWK_CACHE_PURGE_INTERVAL=126060	Purge long-expired JWKs every 12 hours by default
OIDC_JWK_CACHE_PURGE_EXPIRED_SEC=246060	Purge only JWKs that expired more than 24 hours ago

Parent topic: Preparing for OIDC authentication

Help on Help

All Help Contents

Help on Help

All Help Contents