Validation Key Rotation Considerations

When configured to obtain OAuth 2.0 access token validation keys in the form of a JWKS from an HTTP(S) JWKS endpoint (see oauth2_server_validation_key), the EMS server is capable of handling automatic or manual validation key rotations at the OAuth 2.0 provider. To minimize connection disruption due to validation key rotations, the EMS server will automatically attempt to refresh its existing JWKS under certain conditions.

If the response from the JWKS fetch contains a Cache-Control header with a max-age directive or an Expires header, the EMS server will refresh its JWKS when the expiration time specified in either of the headers nears. If both headers are present, the Cache-Control header will take precedence. If neither header is present, the EMS server will schedule a refresh according to the configured value of oauth2_key_refresh_interval. Refer to your OAuth 2.0 provider’s documentation to ensure these headers exist if the validation keys are configured to automatically rotate on an interval.

If an incoming connection to the EMS server provides an OAuth 2.0 JWT access token that doesn’t match any of the keys in its existing JWKS, the server is capable of refreshing its JWKS and reattempting authentication of the incoming connection. The server will only perform a JWKS refresh in this scenario if the amount of time specified by oauth2_key_refresh_threshold has elapsed since the last such JWKS refresh was performed.