Current implementation of the public key fetching does refresh public keys every hour. If public certs refresh fails during refresh - ID token validation is blocked until refresh succeeds. Normally we expect that to be rare and transient, but we want to try to avoid it altogether.

Alternative solution is to check certificate field for expiration date and refresh when the date is close. Potentially we want to consider a combination of two.