Problem
The JWKS endpoint (`/.well-known/jwks.json`) only serves a single key with a hardcoded key ID (`"key-1"`). To rotate the signing key, the operator must deploy a new key and wait for all existing tokens (up to 1 hour for access tokens, 30 days for refresh tokens) to expire before removing the old key — or accept that outstanding tokens will fail validation.
Why it matters
- Key rotation is a security best practice (limits blast radius of a compromised key)
- Compliance frameworks often require periodic key rotation
- Without multi-key JWKS, rotation requires coordinated downtime or causes token validation failures for clients that cache the old JWKS
Suggested approach
- Support loading multiple signing keys (current + previous) from configuration
- Sign new tokens with the current key (identified by `kid`)
- Serve all active public keys in the JWKS endpoint
- `ValidateToken` should select the correct public key based on the JWT's `kid` header
- After all tokens signed with the old key have expired, remove it from the config
This is low priority for a personal project but would be a nice infrastructure improvement if the identity provider is ever used more broadly.
Problem
The JWKS endpoint (`/.well-known/jwks.json`) only serves a single key with a hardcoded key ID (`"key-1"`). To rotate the signing key, the operator must deploy a new key and wait for all existing tokens (up to 1 hour for access tokens, 30 days for refresh tokens) to expire before removing the old key — or accept that outstanding tokens will fail validation.
Why it matters
Suggested approach
This is low priority for a personal project but would be a nice infrastructure improvement if the identity provider is ever used more broadly.