This is more a question than an issue. We're running a server pretty much based on the example server (but with different authentication). After about 5 days, some clients seem to stop working until we restart one or both services, which seems to correspond to the default key TTL. Does rotateKeys need to be called manually every 5 days, or is some other process necessary? The docs just say the function exists in case you need to manually generate new ones, but the example only calls the function when it starts.

The default keyring parameters are set up so that keys expire after 5 days so I'd guess it's related. You can change that if you wish or schedule a call to rotateKeys. What are the clients trying to do when they "stop working"?

If you're using it in anger for anything then you should probably also use a larger RSA key size.

Thanks for the response. I'll try calling rotateKeys False from a thread every 5 days.

The main client is https://www.mediawiki.org/wiki/Extension:OpenID_Connect and it's behaving as if it's not getting a json token back. After the user is redirected back with a successful auth, mediawiki's POST to /oauth/token seems to return a 500 (after it GETs openid-configuration).

I wouldn't say anger exactly but certainly in small-scale production. It was quite easy to set up (though just customizing the login html is a little copy-and-pasty).

A 500 sounds like a bug. Let me know if you get some more info and I'll take a look. Not sure when I'll have time to investigate myself. Are you using postgres?

Calling rotateKeys regularly seems to have fixed this problem.