New: Monitor Mode - Deploy security rules risk-free!Learn more →
Back to Resources
Roadmap

OIDC/JWKS Authentication: Enterprise SSO for Your APIs

Wesley Ellis
Oct 4, 2026
12 min read

OIDC/JWKS authentication is coming to G8KEPR in Q1 2025, enabling enterprise SSO integration with Auth0, Okta, Azure AD, Keycloak, and any OpenID Connect provider.

What is OIDC/JWKS?

OpenID Connect (OIDC) is an identity layer on top of OAuth 2.0 that lets users authenticate with your API using their existing enterprise credentials. JWKS (JSON Web Key Sets) is a standard way to distribute public keys for verifying JWT signatures.

How It Works

1. User logs in via Auth0/Okta/Azure AD
2. Identity provider issues a JWT access token
3. Client sends request to your API with token:
   Authorization: Bearer eyJhbGciOiJSUzI1NiIs...

4. G8KEPR validates token:
   ✓ Download JWKS from provider (cached)
   ✓ Verify JWT signature using public key
   ✓ Check expiration (exp claim)
   ✓ Verify audience (aud claim)
   ✓ Verify issuer (iss claim)

5. If valid, extract claims and forward request
6. If invalid, return 401 Unauthorized

Configuration Example

# config.yaml
authentication:
  oidc:
    enabled: true
    providers:
      - name: auth0
        issuer: https://yourcompany.auth0.com/
        audience: https://api.yourcompany.com
        jwks_uri: https://yourcompany.auth0.com/.well-known/jwks.json

      - name: okta
        issuer: https://yourcompany.okta.com/oauth2/default
        audience: api://yourapi
        jwks_uri: https://yourcompany.okta.com/oauth2/default/v1/keys

      - name: azure
        issuer: https://login.microsoftonline.com/{tenant-id}/v2.0
        audience: api://your-client-id
        jwks_uri: https://login.microsoftonline.com/{tenant-id}/discovery/v2.0/keys

    # JWKS cache settings
    jwks_cache_ttl: 3600  # Cache keys for 1 hour
    jwks_refresh_interval: 300  # Refresh every 5 mins

    # Token validation
    clock_skew_tolerance: 60  # Allow 60s clock skew

    # Claims extraction
    user_claim: sub  # Which claim contains user ID
    email_claim: email
    roles_claim: roles  # For RBAC

Supported Providers

🔐 Auth0

Industry-leading identity platform

  • ✓ OIDC discovery URL auto-config
  • ✓ Social login support
  • ✓ Custom claims in tokens
  • ✓ Organizations/tenants

🏢 Okta

Enterprise identity management

  • ✓ Workforce + Customer Identity
  • ✓ API access management
  • ✓ Custom scopes
  • ✓ MFA enforcement

☁️ Azure AD

Microsoft enterprise identity

  • ✓ Active Directory integration
  • ✓ Conditional access policies
  • ✓ App registrations
  • ✓ B2C/B2B support

🔓 Keycloak

Open source identity server

  • ✓ Self-hosted option
  • ✓ Realm management
  • ✓ Client adapters
  • ✓ Social identity providers

Advanced Features

1. Per-User Rate Limiting

Extract user ID from JWT and apply rate limits per user instead of per IP:

rate_limit:
  by: user_id  # Instead of IP address
  claim: sub  # JWT claim containing user ID

  tiers:
    free:
      limit: 100/hour
      matching_claim: plan=free

    pro:
      limit: 10000/hour
      matching_claim: plan=pro

    enterprise:
      limit: unlimited
      matching_claim: plan=enterprise

2. Custom Claims Extraction

Extract custom claims from JWTs and use them in routing/authorization:

authentication:
  oidc:
    extract_headers:
      - claim: email
        header: X-User-Email

      - claim: roles
        header: X-User-Roles

      - claim: organization_id
        header: X-Org-ID

      - claim: plan
        header: X-Subscription-Plan

# Now your backend receives:
# X-User-Email: john@example.com
# X-User-Roles: ["admin", "developer"]
# X-Org-ID: org_abc123
# X-Subscription-Plan: enterprise

3. Role-Based Access Control (RBAC)

authorization:
  rbac:
    enabled: true
    roles_claim: roles  # JWT claim with user roles

    rules:
      - path: /api/admin/*
        allowed_roles: [admin]

      - path: /api/users/*
        allowed_roles: [admin, user]
        method: GET

      - path: /api/billing/*
        allowed_roles: [billing_admin]

      - path: /api/public/*
        allowed_roles: []  # Anyone (even unauthenticated)

JWKS Automatic Rotation

Identity providers periodically rotate their signing keys for security. G8KEPR automatically handles this:

EventG8KEPR Behavior
Initial StartupDownload JWKS from provider
Every 5 MinutesBackground refresh of JWKS (configurable)
Token Validation FailsForce-fetch fresh JWKS and retry once
Provider Adds New KeyAuto-accepted on next refresh
Provider Rotates KeysOld keys cached until expiration

Migration Path

If you currently use API keys, you can migrate to OIDC gradually:

1

Enable Both Auth Methods

Support API keys AND OIDC tokens simultaneously

2

Roll Out OIDC to Beta Users

Test with a small percentage of traffic first

3

Monitor & Validate

Check logs, error rates, and user feedback

4

Migrate All Users

Send emails, update docs, provide migration guide

5

Deprecate API Keys

Set deadline, disable old auth method after grace period

Coming Q1 2025

OIDC/JWKS authentication will be included in the Growth plan ($299/mo) and above. Join the beta to help test the integration with your identity provider.

Join Beta Waitlist →

Ready to Secure Your APIs?

Deploy enterprise-grade API security in 5 minutes. No credit card required.

Start Free Trial
OIDC/JWKS Authentication: Enterprise SSO for Your APIs | G8KEPR