Short Summary of the Bug
JTI cache has constant TTL
Description
As of today, JTI cache is stored for 24 hours in the cache, Redis memory increases linearly as the load shoots up.
Resolution
Instead of constant TTL for the client _assertion JTI cache. JTI cache should use the client_assertion JWT expire time as TTL.
Background
JTI in the client_assertion JWT should never repeat. Authorisation server should not accept the same client_assertion JWT more than once as per openID core spec.
Attachments / Evidence / Links
No response
Short Summary of the Bug
JTI cache has constant TTL
Description
As of today, JTI cache is stored for 24 hours in the cache, Redis memory increases linearly as the load shoots up.
Resolution
Instead of constant TTL for the client _assertion JTI cache. JTI cache should use the client_assertion JWT expire time as TTL.
Background
JTI in the client_assertion JWT should never repeat. Authorisation server should not accept the same client_assertion JWT more than once as per openID core spec.
Attachments / Evidence / Links
No response