Public Key Caching Strategies for Token Signature Validation - DevSecCon

Explore public key caching strategies for token signature validation in this DevSecCon conference talk. Delve into the world of modern access delegation and consumer authentication protocols, focusing on OAuth2 and OpenID Connect. Learn about JSON Web Tokens (JWTs) and their implementation using asymmetric cryptography. Understand the importance of public key verification for token trust and the performance benefits of local key storage and caching. Examine the challenges posed by dynamic key management and the need for cache refreshing when token signing keys are changed. Compare different caching strategies, including "On-Demand Refresh," "Regular Refresh," and "Refresh on Expiry," evaluating their performance and security trade-offs. Gain valuable insights into the benefits and liabilities of each approach, enabling you to make informed decisions about implementing public key caching in your own systems.

Intro
What We Are Going to Cover Today
Brief Intro: Assymmetric (Public Key) Cryptography
Brief Intro: JSON Web Token (JWT)
Brief Intro: OAuth 2.0 and OpenID Connect
Public Key Management Options
Rationale for Public Key Caching
"On-Demand Refresh" Caching Strategy
'Regular Refresh Caching Strategy
Refresh on Expiry' Caching Strategy
Recommendations