Advisories for Nuget/Steeltoe.Security.Authentication.CloudFoundryBase package

2026

Steeltoe's static JWKS cache shared across schemes and never invalidated

The JWT signing key cache in TokenKeyResolver uses kid as the sole cache key without namespacing by authority. In applications with multiple JwtBearer schemes pointing to different identity providers, a key fetched for one scheme can satisfy token validation for another. Additionally, cached keys have no expiration, so rotated or revoked keys remain trusted until the application process restarts.