If forced JWKS refresh fails, any cached JWKSes are left active in memory. This preserves availability. However, administrators perform JWKS refresh to recover from IdP private key compromise. It can be important for compromised key material to be distrusted, even if we are unable to obtain fresh, valid, material.

We should introduce a mechanism which lets us flush JWKS even on re-acquisition failure.