The OpenID Connect specification provides guidance on how to effectively rotate asymmetric keys used for token signing. AppDirect marketplaces have adopted the approach described in the specifications.
Each marketplace-issued id_token will contain a key identifier (kid) in the header of the id_token (JWT) that references the key used to sign the token. Following is an example:
{"kid":"1ee4d9e7dcfef215d133c7ed7ac87c95f8d8e712","alg":"RS256"}
This key can be used to look up the signature verification certificate that was originally retrieved from the “jwks_uri” endpoint in the OpenID Connect provider metadata. See Example B— IDC provider metadata in the OpenID Connect authentication event examples topic.
Marketplaces have three or more active signing certificates at any given moment that are selected at random to sign tokens. Since each key has an expiry date, OpenID Connect clients must be designed to make use of the kid value when verifying tokens and be able to detect unknown kid values to retrieve new keys when needed.