The JWKURL refresh is driven by a response header:
In my case the header was returning a dynamic value that was unrelated to the TTL of the key at the JWKURL. I was able to fix the issue on my end since I owned the server in question, but I think it would be wise to add an override so it can be configured from the client side how often Dgraph refreshes the JWK
- [x ] Dgraph (community edition/Dgraph Cloud)
If you are using the community edition or enterprise edition of Dgraph, please list the version:
- Spin up a Vault server
- Enable the Identity engine
- Use the JWK url of the Vault server in your
Authorizationconfig on a GraphQl schema
- Wait until the JWK url expires.
- JWT auth won’t work and will return a JWT unverified error from Dgraph
Using the max-age of the Cache-Control seems like an arbitrary decision. I saw that Auth0 uses
max-age=15 but I’m not sure where the value is coming from. I also don’t see it as part of the OIDC standard (but I only searched briefly).