JwtBearerHandler caches OpenIdConnectConfiguration 'forever'

Question

In JwtBearerHandler the OpenIdConnectConfiguration is only loaded once and cached 'forever' (until the application starts again).

What is the recommended way to do signing key rotation? Restarting the application does not work for me.

Answer 1

Scheme handlers are registered as transient dependencies so the _configuration inside of the JwtBearerHandler is not actually cached at all.

What does cache the configuration is the IConfigurationManager<OpenIdConnectConfiguration> that is used to retrieve the configuration from the authority. That configuration manager is a Microsoft.IdentityModel.Protocols.ConfigurationManager<> which does have an internal refresh mechanism that makes it refetch the configuration every once in a while.

By default, that automatic refresh interval is set to one day, so the configuration manager will fetch the configuration once a day. You can modify that though so it refreshes more often.

To do that, you can adjust the AutomaticRefreshInterval property of the configuration manager. To avoid having to create the configuration manager yourself, you could add a post-configure action to adjust the configuration manager after it has been created. Something like this should work:

services.PostConfigure<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme, options =>
{
    if (options.ConfigurationManager is ConfigurationManager<OpenIdConnectConfiguration> manager)
    {
        manager.AutomaticRefreshInterval = TimeSpan.FromHours(6);
    }
});

If you add that after configuring your authentication schemes, the post-configure action should run after the default post-configure action and you should be able to reconfigure the configuration manager.

Of course, what you also can do at any time is explicitly call the RequestRefresh method on the configuration manager. You can do this, for example, if you have some external signal that can notify you of configuration changes. You could, say, provide an API endpoint for this.