first, I would like to introduce myself : I am the main developer of LemonLDAP::NG (http://lemonldap-ng.org
) a WebSSO and Access Control free software. We already support CAS, OpenID 2.0 and SAML 2.0 protocols and I am working on adding OpenID Connect support.
I hope this list is the right place to ask some questions on OpenID Connect implementation. If not, please let me know.
So, a first question is about configuration data that we grab from configuration endpoint (.well-known/openid-configuration). For now, I decided to cache these information in my local configuration, with the possibility for an administrator to update them trough administration interface. But doing some tests, I saw that recently Google has changed the keys in his JKWS document (https://www.googleapis.com/oauth2/v2/certs
So my question is: should we refresh configuration data / jkws data (which means a GET on configuration endpoint and jkws_uri endpoint every X minutes), or is it common to store these data in local configuration and let the administrator refresh them? Another related question: could we not have a 'serial number' parameter in configuration JSON document in order to be able to know if we already have the latest configuration?
Thanks a lot for your attention.
LemonLDAP::NG - http://www.lemonldap-ng.org
LINAGORA - http://www.linagora.com