Manage OAuth-OIDC identity provider configurations on Confluent Cloud¶
Update your OAuth identity provider configurations, refresh the JWKS URI, and delete an identity provider following the steps below.
To add an OAuth identity provider to your Confluent Cloud organization, see Add an OAuth/OIDC Identity Provider on Confluent Cloud.
To add an identity pool, see Use OAuth Identity Pools with Your OAuth/OIDC Identity Provider on Confluent Cloud.
Update an OAuth identity provider configuration¶
You can update the following OAuth identity provider configurations:
- Name
- Description
- JWKS URI (To refresh an existing JWKS URI, see Refresh the JWKS URI below.)
- Issuer URI
To update your OAuth identity provider configurations, follow the steps for the Confluent Cloud Console or the Confluent Cloud REST API.
- Sign in to the Cloud Console and go to the Workload identities tab on the Accounts & access page at https://confluent.cloud/settings/org/workload_identities.
- Click the identity provider you want to update. The identity provider details page appears.
- To the right of Identity provider, click the Edit icon. The editable fields appear.
- Update the identity provider details, as needed.
- Click Save.
The identity provider details page reappears with the updated identity provider details.
Refresh the JWKS URI¶
You can manually refresh the JWKS URI of your OAuth identity provider using either the Confluent Cloud Console or the Confluent Cloud REST API to:
- Force immediate application of rotated public keys.
- Recover from automatic refresh failures.
Refresh Frequency Settings
The max-age directive in the Cache-Control header of the JWKS URI response
determines how often keys are refreshed:
- Minimum: 5 minutes (300 seconds)
- Maximum: 7 days (604800 seconds)
- Default: 24 hours (86400 seconds) when
max-ageis not specified.
Note: Values below the minimum are automatically set to 5 minutes, while
values above the maximum are capped at 7 days. To increase refresh frequency,
set a lower max-age value in your Cache-Control header.
Example: To set a 1-hour (3600 seconds) refresh frequency, the Cache-Control
header should be:
Cache-Control: max-age=3600
If the JWKS URI is temporarily unavailable, the system continues using the cached keys until the next successful refresh. In prolonged outages, you might need to manually refresh the JWKS URI using the procedure below once connectivity is restored.
Use the Cloud Console to manually refresh the JWKS URI
To manually refresh the JWKS URI of your OAuth identity provider:,
- Sign in to the Cloud Console and go to the Workload identities tab on the Accounts & access page at http://confluent.cloud/settings/org/identity_providers.
- Click the identity provider you want to refresh. The details page appears.
- Click Edit (icon) and then click Refresh JWKS keys.
The refresh operation proceeds and the identity provider details page appears.
Use the Confluent Cloud REST API to manually refresh the JWKS URI
To use the Confluent Cloud REST API to make a request to refresh the JWKS URI, see Refresh a provider’s JWKS.
Delete an OAuth identity provider¶
To delete an OAuth identity provider, you can use the Cloud Console or the Confluent Cloud REST API.
- Sign in to the Cloud Console and go to the Workload identities tab on the Accounts & access page at http://confluent.cloud/settings/org/identity_providers.
- Click the identity provider you want to update. The identity provider details page appears.
- To the right of Identity provider, click the Edit icon. The editable fields appear.
- Click the Delete icon (to the right of Refresh JWKS keys).
- Click Save.
The identity provider is deleted.