0

With JWT approach we get advantage that we don't need to call auth server every time. We need public key to verify JWT token issued via RSA-256. And public keys are getting rotated (Ref - https://www.keycloak.org/docs/latest/server_admin/#rotating-keys) and hence I have to fetch public key from auth server every time before validating the JWT token.

Then what is the advantage of having JWT, can someone help me understanding this?

Anurag
  • 1,013
  • 11
  • 30
  • No, you don't need to fetch the key every time. The jwt should contain a keyid if the public key. So when you try to validate your token, check if you have already cached the public key. If not fetch a new key and cache it. Else use the cached key ... – derpirscher Dec 08 '22 at 06:35

1 Answers1

0

Thanks @derpirscher for answer. For future moving your comment as answer

No, you don't need to fetch the key every time. The jwt should contain a keyid if the public key. So when you try to validate your token, check if you have already cached the public key. If not fetch a new key and cache it. Else use the cached key.

Anurag
  • 1,013
  • 11
  • 30