Lazy JWT Key Rotation in .NET: Redis-Powered JWKS That Just Works
6 days ago
- #.NET
- #JWT
- #Security
- Key rotation is essential for security and compliance, recommended every 30-90 days.
- Redis is used for storing JWKS keys with automatic expiry, ensuring keys survive app restarts.
- The article introduces a `JwksKeyManager` class to handle key rotation, revocation, and management.
- Public keys are retained for 365 days to validate tokens signed with older keys.
- The implementation includes endpoints for key rotation and revocation, requiring admin privileges.
- Testing shows the system correctly rotates and revokes keys, with API caching considerations.
- The solution is production-ready, lightweight, and follows security best practices.