JWT key rotation

Question

I have been thinking and searching many different approaches but I am not sure what is the best solution to solve this problem. Imagine you have 50 microservices that communicate via symmetric JWT - shared key. At the moment the jwt is stored on each microservice (server or virtual host). What i would like to do is to use aws secret manager to manager the JWT key and to eventually rotate the key. Obviously i can rotate the key easily but i want to cache the JWT token (with the aws library for python) so that i do not make too many calls to the services (yes, each call to each web service requirs a JWT). Obviously, if i cache the key for a certain amount of time, there will be cases where the key will be out of sync on some servers, so how would you move forward to be able to rotate secret in aws secret service (keeping in mind that i use caching to avoid slowdown in server interaction and cost)?

Any suggestions?

Answer 1

JWKS use asymmetric priv/pub keys kept in secret manager, expose pub key on the auth server (via url) for other services to use. Auth server either periodically checks for new keys or you ping it to refresh after rotating the keys.