For the OAUTH 2.0 service, I would like to know how often does Google rotate the JWK used for signing? Is it updated once a week? I couldn’t find the corresponding document
Hi @wilsonWu ,
Welcome to Google Cloud Community!
Based on this documentation on Google-managed key pairs:
Google-managed key pairs are automatically rotated and used for signing for a maximum of two weeks. The rotation process is probabilistic; usage of the new key will gradually ramp up and down over the key’s lifetime.
Hope this helps.
I think the documentation link you provided refers to keys provisioned for Service Accounts. Which is not the same as the keys used for the OAuth2 service.
The well-known JWKS endpoint for Google OAuth2 is: https://www.googleapis.com/oauth2/v3/certs
Those keys are not coincident with the keys that are provisioned for service accounts. Each SA has its own keypair (at least one keypair), and per the doc, that keypair is rotated at least every two weeks. The public key(s) for THAT keypair, is available here:
https://www.googleapis.com/service_accounts/v1/jwk/SERVICE_ACCOUNT_EMAIL
For example, for Firebase Auth / Google Identity, the JWKS is here:
https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com
The doc page you cited doesn’t refer to keys for the OAuth2 service.
This reply, claiming to quote Google customer support, states that Google doesn’t specify a key rotation interval for the OAuth2 service.
Supporting that, THIS PAGE states that for Google ID tokens (issued for the OAuth2 service), “the keys are regularly rotated.” I am not sure “regularly” is the best word here, because I don’t think the rotation happens on a regular schedule. Maybe “routinely rotated” is a better phrase. In any case, I think the main point is that Google doesn’t specify how often it rotates such keys - just pay attention to the caching header in the HTTP response!