Description

The new OidcTokenHandler with discovery mechanism is great but I've run into some problems when using it for keys with rotation. The main issue is that the discovered keys saved forever and we have no ways to refresh them, it was already mentioned in issue #61925

Even if we have ability to set the cache lifetime, we might still encounter a situation where we discover keys right before their rotation.

One of the possible solution is to add a check for the kid (https://www.rfc-editor.org/rfc/rfc7515#section-4.1.4) property in the JWS header and compare it with kid values of the keys currently stored in the cache. If a key with that identifier is missing, we should invalidate the cache and retrieve new keys from the discovery endpoint. The check should be enabled optionally, since kid is not required in JWS header.

I would like to implement that by myself and create PR but before I strart, I'd like to know whether this approach is good enough for the framework, or if it only addresses my specific issue.

Example

Security OIDC config has option to enable verification of kid property

oidc:
    claim: email
    algorithms: ['ES256', 'RS256']
    audience: 'api-example'
    issuers: ['https://oidc.example.com']
    discovery:
        base_uri: https://www.example.com/realms/demo/
        verify_kid: true

Before every validation of the JWT we check if kid in header matches one of the keys stored in the cache. If we don't have key with given kid we run into fetching new keyset