Monitoring indicates a p95 latency of approximately 150 ms for requests to the JSON Web Key Set (JWKS) endpoint. This call occurs during the authorization flow and adds latency directly to the overall response time of APIs.

• JWKS endpoint

There is no officially published expected p95 latency for the JWKS endpoint. Latency in the 150 ms range is not unusual. The issue impacts API response times because the configuration uses nimbus-jose-jwt version 9.37, which has a default caching timeout of 5 minutes. This configuration results in frequent network requests to the JWKS endpoint for authorization requests instead of utilizing a cache.

There is no single, definitive caching time that works for all applications. Implement one of the following strategies to decouple JWKS fetching from application calls:

• Default to a longer cache time and re-fetch on failure: Cache the JWKS for a longer period, such as several hours or a day. If the application encounters a token with a Key ID that is not in the cache, invalidate the cache and re-fetch the JWKS. This strategy minimizes requests to the JWKS endpoint.

• Time-based with a minimum refresh interval: Configure a cache lifetime, such as 12 hours, with a minimum refresh interval, such as 5 minutes. This ensures that refreshes do not occur more frequently than the defined interval.

NOTE: The nimbus-jose-jwt default of 5 minutes is a reasonable starting point, but this works best when increased or combined with the re-fetch on failure strategy.