I'm fetching the JWKS from https://X.auth0.com/.well-known/jwks.json server side. I'm wondering if it is safe to cache them for some minutes, because it seems wasteful to constantly barrage that end-point with gets.
I'm using flask and was planning on caching it by doing something simple like:
@cache.cached(timeout=60, key_prefix='auth0/%s')
def get_jwks():
return requests.get("https://" + AUTH0_DOMAIN + "/.well-known/jwks.json").json()
The rest of the implementation is heavily inspired by the auth0 tutorial.
The caching mechanism comes from the library flask_caching, which says:
You are able to use this decorator with any function by changing the
key_prefix
A JWKS is an Auth0 concept. It contains the public key set to verify the signature of the issued tokens
At the most basic level, the JWKS is a set of keys containing the public keys that should be used to verify any JWT issued by the authorization server.
A public key can be safely published. It only will change when a new key pair is generated. I do not know how is the process of renewing a key: manual or automatic. But you can cache it perfectly. Just ensure to download the public key after a failed verification if the reason is a bad public key