Manage OAuth-OIDC identity provider configurations on Confluent Cloud

Update your OAuth identity provider configurations, refresh the JWKS URI, and delete an identity provider following the steps below.

To add an OAuth identity provider to your Confluent Cloud organization, see Add an OAuth/OIDC Identity Provider on Confluent Cloud.

To add an identity pool, see Use Identity Pools with Your OAuth/OIDC Identity Provider on Confluent Cloud.

Update an OAuth identity provider configuration

You can update the following OAuth identity provider configurations:

  • Name
  • Description
  • JWKS URI (To refresh an existing JWKS URI, see Refresh the JWKS URI below.)
  • Issuer URI

To update your OAuth identity provider configurations, follow the steps for the Confluent Cloud Console or the Confluent Cloud REST API.

  1. Sign in to the Cloud Console and go to the Workload identities tab on the Accounts & access page at https://confluent.cloud/settings/org/workload_identities.
  2. Click the identity provider you want to update. The identity provider details page appears.
  3. To the right of Identity provider, click the Edit icon. The editable fields appear.
  4. Update the identity provider details, as needed.
  5. Click Save.

The identity provider details page reappears with the updated identity provider details.

Refresh the JWKS URI

You can manually refresh the JWKS URI of your OAuth identity provider if the automatic refresh fails or if you rotate the public keys of your OAuth identity provider and want the changes to take effect immediately.

By default, the JWKS URI refreshes at the frequency specified by the cache-control header in the response from the JWKS URI, with the following qualifications:

  • The minimum (default) value is five minutes. If the value is not specified, or the value is set less than five minutes, the value is overridden and set to five minutes.
  • The maximum refresh is seven days. If the response header states that the JWKS keys are valid for a month, the keys are still refreshed at seven day intervals.

If the JWKS URI is not available, the automatic refresh fails. For more information, see Manage the JWKS URI on Confluent Cloud.

You can manually refresh the JWKS URI of your OAuth identity provider using either the Confluent Cloud Console or the Confluent Cloud REST API.

Use the Cloud Console to manually refresh the JWKS URI

To manually refresh the JWKS URI of your OAuth identity provider:,

  1. Sign in to the Cloud Console and go to the Workload identities tab on the Accounts & access page at http://confluent.cloud/settings/org/identity_providers.
  2. Click the identity provider you want to refresh. The details page appears.
  3. Click Edit (icon) and then click Refresh JWKS keys.

The refresh operation proceeds and the identity provider details page appears.

Delete an OAuth identity provider

To delete an OAuth identity provider, you can use the Cloud Console or the Confluent Cloud REST API.

  1. Sign in to the Cloud Console and go to the Workload identities tab on the Accounts & access page at http://confluent.cloud/settings/org/identity_providers.
  2. Click the identity provider you want to update. The identity provider details page appears.
  3. To the right of Identity provider, click the Edit icon. The editable fields appear.
  4. Click the Delete icon (to the right of Refresh JWKS keys).
  5. Click Save.

The identity provider is deleted.