OpenLiberty · jcharnetsky · Oct 30, 2024 · Oct 30, 2024 · Oct 30, 2024 · Oct 31, 2024
diff --git a/...bm.ws.security.common.jsonwebkey/src/com/ibm/ws/security/common/jwk/impl/JWKProvider.java b/...bm.ws.security.common.jsonwebkey/src/com/ibm/ws/security/common/jwk/impl/JWKProvider.java
@@ -71,15 +71,18 @@ public JWKProvider(int keySize, String alg, long rotationTimeMs) {
         this.size = keySize;
         JWKS_TO_GENERATE = 2;
         this.alg = alg;
-        if (rotationTimeMs <= 0) {
+        if (rotationTimeMs < 0) {
             if (tc.isDebugEnabled()) {
-                Tr.debug(tc, "Specified rotation time " + rotationTimeMs + " <= 0. Setting rotation time to the default (" + DEFAULT_ROTATION_TIME + " ms) instead");
+                Tr.debug(tc, "Specified rotation time " + rotationTimeMs + " < 0. Setting rotation time to the default (" + DEFAULT_ROTATION_TIME + " ms) instead");
             }
             rotationTimeMs = DEFAULT_ROTATION_TIME;
         }
         this.rotationTimeInMilliseconds = rotationTimeMs;
 
-        scheduleRotationTask();
+        // A rotation time of 0ms means do not rotate
+        if (rotationTimeInMilliseconds != 0) {
+            scheduleRotationTask();
+        }
     }
 
     public JWKProvider(int keySize, String alg, long rotationTimeMs, PublicKey publicKey, PrivateKey privateKey) {
@@ -91,9 +94,9 @@ public JWKProvider(int keySize, String alg, long rotationTimeMs, PublicKey publi
         }
         this.size = keySize;
         this.alg = alg;
-        if (rotationTimeMs <= 0) {
+        if (rotationTimeMs < 0) {
             if (tc.isDebugEnabled()) {
-                Tr.debug(tc, "Specified rotation time " + rotationTimeMs + " <= 0. Setting rotation time to the default (" + DEFAULT_ROTATION_TIME + " ms) instead");
+                Tr.debug(tc, "Specified rotation time " + rotationTimeMs + " < 0. Setting rotation time to the default (" + DEFAULT_ROTATION_TIME + " ms) instead");
             }
             rotationTimeMs = DEFAULT_ROTATION_TIME;
         }

diff --git a/....security.common.jsonwebkey/test/com/ibm/ws/security/common/jwk/impl/JWKProviderTest.java b/....security.common.jsonwebkey/test/com/ibm/ws/security/common/jwk/impl/JWKProviderTest.java
@@ -108,6 +108,13 @@ public void testConstructor() {
             assertEquals("Rotation time was not the expected value.", defaultRotationTime, provider.rotationTimeInMilliseconds);
             assertEquals("Number of generated JWKs was not expected value.", 0, provider.jwks.size());
 
+            // Allow 0m rotation time, resulting in keys never rotating
+            provider = new JWKProvider(defaultKeySize, RS256, 0);
+            assertEquals("Key size was not the expected length.", defaultKeySize, provider.size);
+            assertEquals("Did not get expected algorithm.", RS256, provider.alg);
+            assertEquals("Rotation time was not the expected value.", 0, provider.rotationTimeInMilliseconds);
+            assertEquals("Number of generated JWKs was not expected value.", 0, provider.jwks.size());
+            assertEquals("Timer was not expected value.", null, provider.timer);
         } catch (Throwable t) {
             outputMgr.failWithThrowable(testName.getMethodName(), t);
         }

diff --git a/dev/com.ibm.ws.security.jwt/resources/OSGI-INF/metatype/metatype.xml b/dev/com.ibm.ws.security.jwt/resources/OSGI-INF/metatype/metatype.xml
@@ -43,7 +43,7 @@
          <AD id="keyStoreRef" name="%keyStoreRef" description="%keyStoreRef.desc" required="false" type="String" ibmui:uiReference="com.ibm.ws.ssl.keystore" />
          <AD id="keyAlias" name="%keyAliasName" description="%keyAliasName.desc" required="false" type="String" />
          <AD id="trustStoreRef" name="%trustStoreRef" description="%trustStoreRef.builder.desc" required="false" type="String" ibmui:uiReference="com.ibm.ws.ssl.keystore" />
-         <AD id="jwkRotationTime" name="internal" description="internal use only" required="false" type="String" ibm:type="duration(m)" default="720m" min="60m"/>
+         <AD id="jwkRotationTime" name="internal" description="internal use only" required="false" type="String" ibm:type="duration(m)" default="720m" min="0m"/>
          <AD id="jwkSigningKeySize" name="internal" description="internal use only" required="false" type="Long" default="2048">
             <Option label="%jwkSigningKeySize.1024" value="1024"/>
             <Option label="%jwkSigningKeySize.2048" value="2048"/>

diff --git a/dev/com.ibm.ws.security.openidconnect.server/resources/OSGI-INF/l10n/metatype.properties b/dev/com.ibm.ws.security.openidconnect.server/resources/OSGI-INF/l10n/metatype.properties
@@ -183,7 +183,7 @@ idTokenCacheEnabled=Cache ID tokens
 idTokenCacheEnabled.desc=Enable caching to save ID tokens in the database and in-memory cache.
 
 jwkRotationTime=JWK rotation time
-jwkRotationTime.desc=Amount of time after which a new JWK is generated (minutes). For example, specify 90 minutes as 90 or 90m. Minimum value is 60 minutes.
+jwkRotationTime.desc=The amount of time after which a new JWK is generated in minutes. For example, specify 90 minutes as 90 or 90m. The minimum value of time is 0 minutes, where 0 minutes disables key rotation.
 
 jwkSigningKeySize=JWK signing key size
 jwkSigningKeySize.desc=Size measured in bits of the signing key.