Can i rotate JWKS?
I couldn't find the hint about it.
I want to make sure that there is no need to implement JWKS Rotation in the project I am working on.
6 Replies
Hi @Danuel,
Hi there!
You're correct, there's no need for you to implement JWKS Rotation in your project. Kinde handles this for you. When using Kinde's libraries or SDKs, the JWKS rotation is managed automatically.
If you're not using one of Kinde's SDKs, you can use a library to verify your token. The OpenID Foundation has a list of libraries for working with JWT tokens that you can use.
Remember, the library you decide to use will likely require the URL for your public JSON Web Key (also known as a jwks file). The file can be found at
https://<your_subdomain>.kinde.com/.well-known/jwks.
I hope this helps! Let me know if you have any other questions.Hi @Oli - Kinde !
Hi there!
First, thanks for your answer.
And, I realized that there was a lot of context that I hadn't written down.
I'm working with Rust, so I can't get Kinde SDK help at the moment.
- the list, libraries on the OpenID Foundation, has no Rust options.
- In Rust jsonwebkey(https://docs.rs/jsonwebkey/latest/jsonwebkey/), there is no rotation support.
So I want to check if I need to implement it myself.
Hey @Danuel,
You are right, there is currently no out-of-the-box Kinde Rust SDK. But you can use Rust with Kinde using the following doc: https://kinde.com/docs/developer-tools/using-kinde-without-an-sdk/
Kinde Docs
Using Kinde without an SDK - Developer tools - Help center
Our developer tools provide everything you need to get started with Kinde.
Yeah, thank you. I can see it.
Can I cache the jwks file forever?
Or do I need to implement rotation by referring to another language library?
Hi there!
While you can cache the JWKS file, it's important to note that the keys it contains can occasionally change. Kinde automatically rotates and revokes keys as necessary. If you cache the JWKS file and don't update it, you might end up with outdated keys, which could lead to verification failures when you try to verify JWTs.
So, if you decide to cache the JWKS file, make sure to implement a mechanism to update the cache periodically or when you encounter a JWT that can't be verified with the currently cached keys.
Let me know if you have any other questions!
Thanks for your answer!
I understand it clearly!