We’re using jitsi for our services with JWT tokens based on public/private keys.
We are artificially handling expiration of those keys on ASAP server and alse handle renewal of new public/private key pairs if needed and if allowed by our licence. All keys for one customer have same kid.
In this setup we found a problem with jitsi, resp. jitsi prosody plugin that handled verification of JWT tokens. Once it downloads public key from ASAP server it stores the key in cache and next time it looks in that cache. The cache size can be set (jwt_pubkey_cache_size, default 128), but cannot be set to zero, ie it is not possible to disable it.
So the problem is, when we rotate public/private keys, there is a chance, that prosody has old key in cache and thus woun’t authenticate users. We can set the cache to 1 entry, which will limit this case dramatically, but not completely - when we renew key pair on meeting request there is a high chance, that the key stored in cache is actually for kid that has it’s key rotated.
Can we have some setting to disable caching of jwt public keys?
Currently we are internaly patching prosody plugin to disable this behaviour, but maybe someone else would want this.