When the key sets are used for the first time, the keys are generated and, depending on the configuration, this step may take a long time.
By adding a service with the tag kernel.cache_warmer, the key sets could be created during the cache warmup (bin/console cache:warmup).

The documentation of this bundle has to be written.

A new JWK Source that allows random keys to be created should be added.
This source should generate oct, RSA, EC or OKP keys depending on parameters (key size, curve...) and additional parameters.
The kid should be a random string.
The key should be stored in a file and have a TTL for key rotation.
This source should also be able to create definitions for both public and private keys (if needed).

https://github.com/symfony/recipes-contrib

Depending on the application environment, some optimizations may be available and developers should be warned.

For example, the

• AxxxGCMKW algorithm is used but the application runs on PHP 7.0 without the libCrypto.
• the OpenSSL EC keys are not supported and the library uses the pure PHP fallback which is not efficient.

A DataCollector and a template could be added to display some information to the developer on the debug toolbar.

Like Rotatable Keys, Rotatable Key Sets should be added.
These key sets will contain keys that are updated and swapped when needed.

For example the set contains keys 1, 2 and 3.
After a period of time TTL:

• the key 3 is erased,
• the key 2 becomes 3,
• the key 1 becomes 2,
• a new key is generated for key 1.

This way, keys are available during the period TTL * nb of keys in the set.

This feature will help to solve https://github.com/Spomky-Labs/oauth2-server-library/issues/97 or Spomky-Labs/lexik-jose-bridge#13

Add an option to share any JWKSet through a controller.
The controller should be a service. Developers will just have to create a route to allow the JWKSet to be retrieved by clients.

I'm following the From a JKU (JSON Wek Key URL) instructions to set up a cache as follows:

jose:
  key_sets:
    azure:
      jku:
          url: "https://login.microsoftonline.com/common/discovery/keys"
          is_secured: true
          cache: 'cache.app' # Issue with cache config option
          cache_ttl: 300

But am getting the following error:

TypeError: Argument 3 passed to Jose\Factory\JWKFactory::createFromJKU() must implement 
interface Psr\Cache\CacheItemPoolInterface or be null, string given

It looks like the literal string cache.app is being passed through instead of the object from the container.

At the moment, all PBES-* algorithms uses the following configuration:

• Salt size: 512 bits
• Number of counts: 4096

This bundle should allow to configure those algorithms with custom values.

At the moment the configuration helper only provides low level methods that return an array to be added to the jose configuration by the developers:

public function prepend(ContainerBuilder $container)
{
    $bundles = $container->getParameter('kernel.bundles');
    Assertion::keyExists($bundles, 'SpomkyLabsJoseBundle', 'The "Spomky-Labs/JoseBundle" must be enabled.');

    $jose_config = current($container->getExtensionConfig('jose'));
    $bundle_config = current($container->getExtensionConfig($this->getAlias()));

    $config = ConfigurationHelper::getSignerConfiguration($this->getAlias(), [$bundle_config['signature_algorithm']]);
    $jose_config['signers'] = array_merge(
        $jose_config['signers'],
        $config['jose']['signers']
    );

    $container->prependExtensionConfig('jose', $jose_config);
}

That is too complicated for devs. A better solution could be to have something like that to do:

public function prepend(ContainerBuilder $container)
{
    ConfigurationHelper::addSigner($container, 'service_name', ['list of algorithms']);
}

The configuration helper will automatically verify if the JoseBundle is enabled or not and will inject the desired configuration.