headless JWKS 워커 실패 backoff 및 timeout 단축

backend/internal/service/headless_jwks_cache_test.go

@@ -143,6 +143,49 @@ func TestHeadlessJWKSCacheService_EnsureFreshKeySet_RefreshesWhenKidMissing(t *t
 	assert.Equal(t, []string{"fresh-key"}, stored.CachedKids)
 }
 
+func TestHeadlessJWKSCacheService_PersistRefreshFailure_SetsNextRetryAtAfterThreshold(t *testing.T) {
+	redisRepo := &headlessJWKSCacheTestRedis{}
+	cacheService := NewHeadlessJWKSCacheService(redisRepo, nil)
+	cacheService.FailureThreshold = 3
+	cacheService.FailureBackoff = 15 * time.Minute
+
+	client := domain.HydraClient{
+		ClientID: "client-headless",
+		Metadata: map[string]any{
+			domain.MetadataHeadlessLoginEnabled: true,
+			domain.MetadataHeadlessJWKSURI:      "https://rp.example.com/.well-known/jwks.json",
+		},
+	}
+
+	previous := &domain.HeadlessJWKSCacheState{
+		ClientID:            client.ClientID,
+		JWKSURI:             "https://rp.example.com/.well-known/jwks.json",
+		LastRefreshStatus:   "failure",
+		ConsecutiveFailures: 2,
+	}
+
+	state := cacheService.persistRefreshFailure(client, previous, assert.AnError)
+	require.NotNil(t, state)
+	assert.Equal(t, 3, state.ConsecutiveFailures)
+	require.NotNil(t, state.NextRetryAt)
+	assert.WithinDuration(t, time.Now().Add(15*time.Minute), *state.NextRetryAt, 3*time.Second)
+}
+
+func TestHeadlessJWKSCacheService_ShouldPrefetch_SkipsUntilNextRetryAt(t *testing.T) {
+	cacheService := NewHeadlessJWKSCacheService(&headlessJWKSCacheTestRedis{}, nil)
+	now := time.Now()
+
+	state := &domain.HeadlessJWKSCacheState{
+		ClientID:            "client-headless",
+		LastRefreshStatus:   "failure",
+		ConsecutiveFailures: 3,
+		NextRetryAt:         ptrTestTime(now.Add(10 * time.Minute)),
+	}
+
+	assert.False(t, cacheService.ShouldPrefetch(state, now))
+	assert.True(t, cacheService.ShouldPrefetch(state, now.Add(11*time.Minute)))
+}
+
 func mustServiceHeadlessRSAJWK(t *testing.T, kid string) (*rsa.PrivateKey, jose.JSONWebKeySet) {
 	t.Helper()