The JWK retriever does not remove stale JWK from cache #7849
Labels
in:Security
release bug
This bug is present in a released version of Open Liberty
release:190010
team:Security SSO
Liberty client caches JWKs for reuse, and fetches and caches new JWKs when JWT is signed with new JWK (new kid or x5t). While fetching new JWKs, Liberty should clean up stale or old JWKs.
There is a regression that disable the cleanup logic.
The code need to be fixed is JwkRetriever.java class
The text was updated successfully, but these errors were encountered: