JWK key rotation

[jbabala]

Hello Team,

I'm using client_credentials grant with private_key_jwt assertion. When Client is setup, the --jwks-uri is provided which fetches JWK keys from remote endpoint. The key is then cached for future use (correctly) in Hydra instead of fetching it with each request. This keys are then subsequently used to verify signature of JWT token used in assertion.

Would you be able to tell me how often is key fetched from remote endpoint after initial caching? I'm trying to understand what mechanism allows for rotating this keys. Would it be possible to set timeout after which keys are fetched again?

Appreciate your work and many thanks!

[jbabala]

In case anyone is looking for the same answer, the Hydra seems to be caching keys as follows:

• As described in section 10.1.1. of OpenID Connect Core 1.0 specific (Key rotation - if unknown kid is present in JWT assertion, Hydra fetches/updates the keys from remote /.well-known/jkws.json URI)
• Upon server restart

[vinckr]

Hey Jozef,
glad you figured it out!
Did you see this document: https://www.ory.sh/docs/hydra/self-hosted/secrets-key-rotation and if yes is there something we can improve there in your opinion?

[jbabala]

Hello vinckr,

Sure, while guide mentions key rotation on Hydra side, it does not describe mechanism of caching/retrieving keys from remote endpoint when client is configured with private_key_jwt assertion (URI is passed as parameter --jwks-uri during client setup).

I would recommend to add this info to https://www.ory.sh/docs/hydra/guides/jwt#using-jwts-for-client-authentication where various scenarios with jwt assertions are described.

Jozef