Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork9.7k
security-bundle: refresh JWKS on kid mismatch during OIDC discovery#62355
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:7.4
Are you sure you want to change the base?
security-bundle: refresh JWKS on kid mismatch during OIDC discovery#62355
Conversation
carsonbot commentedNov 10, 2025
Hey! I see that this is your first PR. That is great! Welcome! Symfony has acontribution guide which I suggest you to read. In short:
Review the GitHub status checks of your pull request and try to solve the reported issues. If some tests are failing, try to see if they are failing because of this change. When two Symfony core team members approve this change, it will be merged and you will become an official Symfony contributor! I am going to sit back now and wait for the reviews. Cheers! Carsonbot |
a938bec toe3626e0Comparee3626e0 tob778601Compare
This PR adds an optional refresh_jwks_on_kid_mismatch option to the OIDC discovery mechanism.
When enabled, Symfony will automatically refresh the JWKS if the kid (Key ID) in the JWT header
is not found in the cached key set.
This prevents token validation failures in cases where the OIDC provider’s signing keys
have changed while the cached key set has not yet expired.
Example configuration: