How should you save a jwk?

Question

I hope this is not a naive question but how should you save a jwk when getting it from a .well-known/jwks.json domain.

Currently I hard code the modulus and exponent but that doesn't seem to be a great solution.

Adding it to a database seems pointless as it would be an unreasonable call because the e & n value wouldn't change.

Storing in cache seems like one of the best solutions.

Making the call to .well-known/jwks.json for every every request just seems unessesary as well.

What is everybody else's way of doing it?

Which level in the application stack are you talking about? Server, client, ...? — , Jan 24 '18 at 07:40

score 0 · Answer 1 · answered Jan 24 '18 at 10:13

The storage of a key set you get through a GET call should relies on the HTTP headers and especially the cache-control directive. If no-cache or no-store are set, then you should not save the key set and get it whenever you need to use it.

In general, you will have a max-age directive (e.g. see the key set from Google). I recommend you to respect that directive and store the key set in your application cache for that time.

I am not sure that the use of a DB is relevant here ; a cache storage is generally more efficient than a DB one.

How should you save a jwk?

1 Answers1