Manage the JWKS URI on Confluent Cloud

You need to manage the JSON Web Key Set (JWKS) URI of your OAuth identity provider to:

  • Ensure that the public keys used to verify the signatures of JSON Web Tokens (JWTs) are up to date. Follow the steps below to manually refresh the JWKS URI if the automatic refresh fails or if you rotate the public keys.
  • If your identity provider is behind a firewall, verify network access to your JWKS URI at least every three months.

Refresh the JWKS URI of an OAuth identity provider

You can manually refresh the JWKS URI of your OAuth identity provider if the automatic refresh fails or if you rotate the public keys of your OAuth identity provider and want the changes to take effect immediately.

By default, the JWKS URI refreshes at the frequency specified by the cache-control header in the response from the JWKS URI. If a cache-control value is not specified, the default refresh period is every one hour. Note that the refresh period is capped at a maximum of seven days. For example, if the response header states that the JWKS keys are valid for a month, the keys are still refreshed at seven day intervals.

If the JWKS URI is not available, the automatic refresh fails.

You can manually refresh the JWKS URI of your OAuth identity provider using either the Confluent Cloud Console or the Confluent Cloud REST API.

Use the Confluent Cloud Console to manually refresh the JWKS URI

To manually refresh the JWKS URI of your OAuth identity provider:,

  1. Sign in to the Confluent Cloud Console and go to the Workload identities tab on the Accounts & access page at https://confluent.cloud/settings/org/workload_identities.
  2. Click the identity provider you want to refresh. The details page appears.
  3. Click Edit (icon) and then click Refresh JWKS keys.

The refresh operation proceeds and the identity provider details page appears.

Verify network access to the JWKS URI

If your identity provider is behind a firewall, you should verify network access from Confluent Cloud to your identity provider using the public IP addresses at least every three months to ensure that Confluent Cloud can access your Confluent Cloud JWKS endpoint over the internet. Contact your identity provider to add new Confluent Cloud public IP addresses to your firewall allowlist.

To get the available Confluent Cloud public IP addresses, run the following curl command, using your API key and API secret:

curl -X GET https://api.confluent.cloud/networking/v1/ip-addresses?services=EXTERNAL_OAUTH
  -H 'Authorization: Basic $(echo -n "${API_KEY_ID}:${API_KEY_SECRET}" | base64)'
  -H "Content-Type: application/json"

Alternatively, you can view the available Confluent Cloud public IP addresses on the Confluent Cloud Console. Navigate to Accounts and access -> Workload identities tab.

../../../../../_images/oauth-oidc-jwks-workload-identities-tab.png