kgateway-dev · dmitri-d · Nov 21, 2025 · Nov 24, 2025 · Nov 27, 2025 · Nov 27, 2025
diff --git a/api/v1alpha1/agentgateway/agentgateway_policy_types.go b/api/v1alpha1/agentgateway/agentgateway_policy_types.go
@@ -540,22 +540,21 @@ type JWKS struct {
 	Inline *string `json:"inline,omitempty"`
 }
 
-// +kubebuilder:validation:ExactlyOneOf=uri;backendRef
 type RemoteJWKS struct {
-	// IdP jwks endpoint. Default tls settings are used to connect to this url.
-	// +kubebuilder:validation:Pattern=`^(https|http):\/\/[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)*(:\d+)?\/.*$`
-	// +optional
-	JwksUri string `json:"uri,omitempty"`
+	// Path to IdP jwks endpoint. Default tls settings are used to connect to this url.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=2000
+	JwksPath string `json:"jwksPath"`
 	// +optional
 	// +kubebuilder:validation:XValidation:rule="matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')",message="invalid duration value"
 	// +kubebuilder:validation:XValidation:rule="duration(self) >= duration('5m')",message="cacheDuration must be at least 5m."
 	// +kubebuilder:default="5m"
 	CacheDuration *metav1.Duration `json:"cacheDuration,omitempty"`
 	// backendRef references the remote JWKS server to reach.
-	// Not implemented yet, only jwksUri is currently supported.
 	// Supported types: Service and Backend.
-	// +optional
-	BackendRef gwv1.BackendObjectReference `json:"backendRef,omitempty"`
+	// +required
+	BackendRef gwv1.BackendObjectReference `json:"backendRef"`
 }
 
 // +kubebuilder:validation:Enum=Strict;Optional

diff --git a/hack/dummy-idp/dummy-idp.cert b/hack/dummy-idp/dummy-idp.cert
@@ -1,21 +1,32 @@
 -----BEGIN CERTIFICATE-----
-MIIDZTCCAk2gAwIBAgIUdgqhaX5KZBbpKLFaKBTq+CyF5r4wDQYJKoZIhvcNAQEL
-BQAwMzEVMBMGA1UECgwMa2dhdGV3YXkuZGV2MRowGAYDVQQDDBFkdW1teS1pZHAu
-ZGVmYXVsdDAeFw0yNTExMTkxODQ0MDZaFw0zNTExMTcxODQ0MDZaMDMxFTATBgNV
-BAoMDGtnYXRld2F5LmRldjEaMBgGA1UEAwwRZHVtbXktaWRwLmRlZmF1bHQwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCveFzIPXbf8b89On8VHtgEDabs
-Ghm52K9Hv2/9nHIaEzrnl67undW2onVBI/IMhrkPQXL59dTyw3lw1KQwtDbPLbHJ
-vPUxX5pYE8HDCinMpxgueJQeXjGjA3B0zMzAGKGy1afSFkoemPgWGk3z9+RA31ZO
-im+pdLu1a/7es+AxVzassnVvN3NBuVr4Baxj6f2MIaUHrnp31fmZZhEFDUajlPxx
-/dfVe+eowV70rdSjGi1r4/HKeEfobWUJSTNYSEHttPIHl+i7NW/ArzKjZDb5gNML
-Jzr3/mbMGB0QS60iDuMaCi7rzKdalPhNBEB5VMTxXnleFXkrWmHCFGL3Q4f7AgMB
-AAGjcTBvMB0GA1UdDgQWBBTd/irgnmCNgU6tVEmTvAwB9PITQzAfBgNVHSMEGDAW
-gBTd/irgnmCNgU6tVEmTvAwB9PITQzAPBgNVHRMBAf8EBTADAQH/MBwGA1UdEQQV
-MBOCEWR1bW15LWlkcC5kZWZhdWx0MA0GCSqGSIb3DQEBCwUAA4IBAQBW6S8mMJsg
-86mzDx3mSRy8sRHKfA83cbrouyQDOQn26QEFoK9pz9M67G19F87VQVzV/je4QySq
-XizOoPQtMGRTjUZwumG3tTEKd7lxy2FadDWZq/NQkhs5Y5iyipfSJV8Iejs5yjDI
-iqrPxehOO4MlGyUZDWXEt4mKdUZ67SdcLlUUZEv4jVbOkpgVrastJXwwdnbQaH/9
-6wPzcCTVcAeee1Jf0E5uTDg62skWAuuDIN0n3pQdIdB2vikinAE3rpELivrCs+Ae
-uI9xYJwlp4Z3QeP2651npVTMfpyxqYz5Mk7Hvze0U/WArEAY1wRgQgbYB0MT+ITl
-u7KRkPMMak84
+MIIFfDCCA2SgAwIBAgIUOBEwNkgGCBk5gTlks4MgZjBwcB0wDQYJKoZIhvcNAQEL
+BQAwKzEpMCcGA1UEAwwgZHVtbXktaWRwLmRlZmF1bHQsTz1rZ2F0ZXdheS5kZXYw
+HhcNMjUxMjEyMjIyNTAyWhcNMzUxMjEwMjIyNTAyWjArMSkwJwYDVQQDDCBkdW1t
+eS1pZHAuZGVmYXVsdCxPPWtnYXRld2F5LmRldjCCAiIwDQYJKoZIhvcNAQEBBQAD
+ggIPADCCAgoCggIBAKPDXO2JEDlruWLQACZqQyFoJTw9dUpay+QcVrgnDv8ULM9F
+wSVpIgiT7/reqfWQsyWH8bhyZ60SD2v6BqRdvU8d5G7Lzjjiv7D1kRmdoM05rHeW
+rFWrMsd3tTVYIdkDwsOqb/4/3YXhzZstI8N9I9mqQFfR0Oahjwub1fQqGkU4AldO
+WGTgsllI0ZDV8IDuARlOQ8ZysxL2axxXJ4Io4eDMZ6uwbeW5JXv/ajLz3Gx9vpWf
+LlfPHCB4/Z+EErw/g55PEM8ftvK5ijT2+QPULSdrkO/YjByV9IPNjYou9JEcI1KP
+Q2q4VcjQV83dcRFDw11o6MhOicVNwdTFBia6aStpxU/fsYaoaPiK0OWOZ3SjtoNV
+PT17geh5kX+4eTmzdC/9hFh+qncyzfHdomBFQlamQ5Pzg3ngLoNm5Iyk/OuUgLg8
+sgYf7coYDygzzagxxpTRS7VyfwqLlMaRbqBUrX9IHVpn17CqtsrI1ihadv9q4wc3
+Mxt2rdT1GfpE7yCB/NrAzCe2ZVWkNkX8Zb0taD79r/daOBgakHf9L/EqYTsgGO3s
+XiF7G3lbRpLwOKHiHP9YbQCdoh8Y3qzGi9DLlmDIaQShtJPUmCb7u7kL9bW2SPRL
++zH2ZY5258CZWndAGe06wQVgLv0aI7kre+Sf1YfZxRbzE595TBWQO/RRT3I7AgMB
+AAGjgZcwgZQwHQYDVR0OBBYEFAIkfyn6riDFT/LhatXG1uS5u8HKMB8GA1UdIwQY
+MBaAFAIkfyn6riDFT/LhatXG1uS5u8HKMA8GA1UdEwEB/wQFMAMBAf8wQQYDVR0R
+BDowOIIRZHVtbXktaWRwLmRlZmF1bHSCI2R1bW15LWlkcC5kZWZhdWx0LnN2Yy5j
+bHVzdGVyLmxvY2FsMA0GCSqGSIb3DQEBCwUAA4ICAQAxzxHhT9uvTBHKeu+7zOdU
+A+rju5gPjeItds3r2YdHqqjidkK53qWnvrqteoguT8lxGXaSL0QzL3l9eFp80BIP
+8MmlI+zs8Q/cO9gCeEf+3ul+nx2YzF33W/PNahHfLDbLIFDoQMkhTyemEh1GEqmm
+6frHgO2OgdIO6jyIF0GN0SFvCW6J32k3teRsN2OLRQCuCftJ/Q2dwuXZfmx0sf0R
+Hz7JNBdH9U8iCYhSefd3VWCro2sPB3XT7evH9+orFikvbb5fggo4WGjvc7CPKlMj
+59PGlloJCUP9FIhR5/oot6yH9NsdOzDWY51makMhE4nq/ET8omaawSCclTE8mDWk
++s/8MBQkk6T72zaVX6Eqnb0RatIHkr9C6zfy/ZE4E5A6Lw+EwdGPaXg5pCBO0miM
+jImoFyNvXEGWY3w6AX8ho1L27ZiTApMTc2fYUYCy4QP+MDjEp1+yFrjFSFpUhF0Z
++Tl37cUWZcm4nUxEcu/pfedKyliR2yKBfi3jg7cDzVB86tSHzIvPgxpl2ivEEb0E
+ohncCC1Z//SKb7QFs1Obry3hIIBpEyVVvGB580AdxgLY9nhrvv/6gw01JtEPXczV
+1BTCWIUc6WafBlAiWrm3tR36kaRn2RrIlCAFrMznQMafCfMLCTWsYudkrabl7W9n
+yamda6yFfH9bkPO+XBK3lQ==
 -----END CERTIFICATE-----
diff --git a/hack/dummy-idp/dummy-idp.go b/hack/dummy-idp/dummy-idp.go
@@ -5,8 +5,16 @@ import (
 	"crypto/x509"
 	"log"
 	"net/http"
+
+	_ "embed"
 )
 
+//go:embed dummy-idp.cert
+var cert []byte
+
+//go:embed dummy-idp.key
+var key []byte
+
 func main() {
 	roots := x509.NewCertPool()
 	if !roots.AppendCertsFromPEM(cert) {
@@ -31,6 +39,10 @@ func main() {
 		w.Header().Add("content-type", "application/json")
 		w.Write(orgThreeJwks)
 	})
+	mux.HandleFunc("/org-four/keys", func(w http.ResponseWriter, req *http.Request) {
+		w.Header().Add("content-type", "application/json")
+		w.Write(orgFourJwks)
+	})
 	mux.HandleFunc("/org-one/jwt", func(w http.ResponseWriter, req *http.Request) {
 		w.Header().Add("content-type", "application/json")
 		w.Write(orgOneJwt)
@@ -43,6 +55,10 @@ func main() {
 		w.Header().Add("content-type", "application/json")
 		w.Write(orgThreeJwt)
 	})
+	mux.HandleFunc("/org-four/jwt", func(w http.ResponseWriter, req *http.Request) {
+		w.Header().Add("content-type", "application/json")
+		w.Write(orgFourJwt)
+	})
 
 	cfg := &tls.Config{
 		RootCAs:      roots,
@@ -61,70 +77,6 @@ func main() {
 }
 
 var (
-	// self-signed cert with:
-	// Issuer: O=kgateway.dev, CN=dummy-idp.default
-	// Validity
-	//
-	//	Not Before: Nov 19 18:44:06 2025 GMT
-	//	Not After : Nov 17 18:44:06 2035 GMT
-	//
-	// Subject: O=kgateway.dev, CN=dummy-idp.default
-	// ...
-	// X509v3 extensions:
-	//
-	//	X509v3 Subject Alternative Name:
-	//	    DNS:dummy-idp.default
-	cert = []byte(`-----BEGIN CERTIFICATE-----
-MIIDZTCCAk2gAwIBAgIUdgqhaX5KZBbpKLFaKBTq+CyF5r4wDQYJKoZIhvcNAQEL
-BQAwMzEVMBMGA1UECgwMa2dhdGV3YXkuZGV2MRowGAYDVQQDDBFkdW1teS1pZHAu
-ZGVmYXVsdDAeFw0yNTExMTkxODQ0MDZaFw0zNTExMTcxODQ0MDZaMDMxFTATBgNV
-BAoMDGtnYXRld2F5LmRldjEaMBgGA1UEAwwRZHVtbXktaWRwLmRlZmF1bHQwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCveFzIPXbf8b89On8VHtgEDabs
-Ghm52K9Hv2/9nHIaEzrnl67undW2onVBI/IMhrkPQXL59dTyw3lw1KQwtDbPLbHJ
-vPUxX5pYE8HDCinMpxgueJQeXjGjA3B0zMzAGKGy1afSFkoemPgWGk3z9+RA31ZO
-im+pdLu1a/7es+AxVzassnVvN3NBuVr4Baxj6f2MIaUHrnp31fmZZhEFDUajlPxx
-/dfVe+eowV70rdSjGi1r4/HKeEfobWUJSTNYSEHttPIHl+i7NW/ArzKjZDb5gNML
-Jzr3/mbMGB0QS60iDuMaCi7rzKdalPhNBEB5VMTxXnleFXkrWmHCFGL3Q4f7AgMB
-AAGjcTBvMB0GA1UdDgQWBBTd/irgnmCNgU6tVEmTvAwB9PITQzAfBgNVHSMEGDAW
-gBTd/irgnmCNgU6tVEmTvAwB9PITQzAPBgNVHRMBAf8EBTADAQH/MBwGA1UdEQQV
-MBOCEWR1bW15LWlkcC5kZWZhdWx0MA0GCSqGSIb3DQEBCwUAA4IBAQBW6S8mMJsg
-86mzDx3mSRy8sRHKfA83cbrouyQDOQn26QEFoK9pz9M67G19F87VQVzV/je4QySq
-XizOoPQtMGRTjUZwumG3tTEKd7lxy2FadDWZq/NQkhs5Y5iyipfSJV8Iejs5yjDI
-iqrPxehOO4MlGyUZDWXEt4mKdUZ67SdcLlUUZEv4jVbOkpgVrastJXwwdnbQaH/9
-6wPzcCTVcAeee1Jf0E5uTDg62skWAuuDIN0n3pQdIdB2vikinAE3rpELivrCs+Ae
-uI9xYJwlp4Z3QeP2651npVTMfpyxqYz5Mk7Hvze0U/WArEAY1wRgQgbYB0MT+ITl
-u7KRkPMMak84
------END CERTIFICATE-----`)
-
-	key = []byte(`-----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCveFzIPXbf8b89
-On8VHtgEDabsGhm52K9Hv2/9nHIaEzrnl67undW2onVBI/IMhrkPQXL59dTyw3lw
-1KQwtDbPLbHJvPUxX5pYE8HDCinMpxgueJQeXjGjA3B0zMzAGKGy1afSFkoemPgW
-Gk3z9+RA31ZOim+pdLu1a/7es+AxVzassnVvN3NBuVr4Baxj6f2MIaUHrnp31fmZ
-ZhEFDUajlPxx/dfVe+eowV70rdSjGi1r4/HKeEfobWUJSTNYSEHttPIHl+i7NW/A
-rzKjZDb5gNMLJzr3/mbMGB0QS60iDuMaCi7rzKdalPhNBEB5VMTxXnleFXkrWmHC
-FGL3Q4f7AgMBAAECggEAN/sZ+sZlQRAi15lshuP2veBPI182WuzvCuBgDdTWMEx3
-TADADh+r2Z8d8oDRzb5Dl0LluCp+XE8R1PX6RhGQtOtan8aZoT1jg/sVo7B/4mti
-0xykAMZDZsMHozPdlOGm4OO6LVPwJK/f4klVGmM5XpsCMX+IHVOBOWGxiAJyIbsu
-Nadg0IXREomEIJK7p+kVAxBEYkWddIiCSJ5xfeLHPls1VG1FRzT+0Xq5MYih5BkM
-JYBmmm8Iofg/yJb0SMMW5JRWBzTK0gwni8s6qq+mLXWmuSNnqh7TwPwEUO3Cxg44
-QLxlXnMJn8lgthjPbxAGs+uSYWcwQbBc02p0EQe0KQKBgQDko2ifLJhXkGhFSCBZ
-qHF8I6TOumzicsVlP/tm1JXTrtPoEBdyIcMb+KTnUxTxfIOiFb9GtdYTLZW6xQEU
-nutAXezRK25drZtTlSEiTWvZFVAFO2Io+S5ZtOLi+N6lp7We49a5uvvjavJrjAAp
-b95zyrjK/VFdifXaRIG1ZcB9aQKBgQDEeBZ8myYdENRo8zt/n15El184Tpc/tAkb
-XEEjddrsIz6ekIeEclFwaRi00p4UYV2EA5tmx8u651zIcZAF/rnix1Kz4JDuAOlc
-+KEnBL81SIybHMzdq8smJmMO2NQSHSrKjsCtQDzb7INEUd9VaiiEOHoaCcqL1ZfA
-SUUhx+bZwwKBgQDg37+k3q2vYf7MNZZr2HpVyJDuKvmw94Uign13tBrwqoENO9Zz
-kLVfq3w1cMemg/rLzmvk1i+JiUo8+kqHx45GLpsfV4IjbP7ahFCkdlVem9Gqc6+l
-8P8fiAOnjXMepwbBEgI9hqT8FlH8aSQ3nSnD5V0/eUsvnuNKHBsfGMbsEQKBgDQ5
-q9iRsW72g1AmoAFLztYy2sfv9Dql0+nm+xW/BWPR9ppV1wA5FzbnaP7gIc9PFnm6
-L7wBjkFvsPVDYsKFNMp4q55PKpdpvJ7PJJ9nnqA+Wcn9vOOMACNy/s/6iV0LTc2s
-ZsFnGwZm93nYvaJJ5t1G2gZD5giHzZ/6mhrhtZbbAoGALWewB6J4CkCNAS0qJK85
-I6LrayNR7IcsaUKvLgaggg1FejZRPHkGECjsDfsGpcJAhAYZSBz6ToXODPdSCDJz
-A2hJwkkTrX6zaKDhkDXvVhiz0JB6win4CBnU/zKzf6PExraX+Vd+pWzdSxCBupDl
-TFwmV3iuItdcF82i2fBZlXk=
------END PRIVATE KEY-----`)
-
 	// jwks and jwts were generated using hack/utils/jwt/jwt-generator.go
 	// jwts are valid until Aug 2035
 	//   "iss": "https://kgateway.dev",
@@ -137,4 +89,8 @@ TFwmV3iuItdcF82i2fBZlXk=
 
 	orgThreeJwks = []byte(`{"keys":[{"use":"sig","kty":"RSA","kid":"8879871533137308459","n":"sjnFKA9NxpP39HykPZX6BqiFXmAAMC0YJ1WC2t_2Vo1kXbI64Pb__eKoGaT2my1xedCqnJVyWDjiRSHSzmiJkJ4_h8d62mzCVN2y3mMCDL75OFjz6Hyn2p5dWoIZ0b5SCiZNvBUxJ6ccN51qctzAeReeMP_xM8sWRAN-Xnp8JCltKLv2Kwme5U7UXwzxUxMJsbm6ZMFy-IUMDdmIHgHkIi8-AIvnP0ddtiH_MrJQ6bMwNjecRJ-f1Ut2FVhVTpLiU43UUYExEHLtMXl60ph0RI0mD--FvNmVaYPsysX7FejR49FyCOiCMznOrc_nnKB0M7oggvmjAr8dGghMmL_7VQ","e":"AQAB","x5c":["MIIC3jCCAcagAwIBAgIBIzANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQKEwxrZ2F0ZXdheS5kZXYwHhcNMjUxMTE5MTkxMjU4WhcNMjUxMTE5MjExMjU4WjAXMRUwEwYDVQQKEwxrZ2F0ZXdheS5kZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyOcUoD03Gk/f0fKQ9lfoGqIVeYAAwLRgnVYLa3/ZWjWRdsjrg9v/94qgZpPabLXF50KqclXJYOOJFIdLOaImQnj+Hx3rabMJU3bLeYwIMvvk4WPPofKfanl1aghnRvlIKJk28FTEnpxw3nWpy3MB5F54w//EzyxZEA35eenwkKW0ou/YrCZ7lTtRfDPFTEwmxubpkwXL4hQwN2YgeAeQiLz4Ai+c/R122If8yslDpszA2N5xEn5/VS3YVWFVOkuJTjdRRgTEQcu0xeXrSmHREjSYP74W82ZVpg+zKxfsV6NHj0XII6IIzOc6tz+ecoHQzuiCC+aMCvx0aCEyYv/tVAgMBAAGjNTAzMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCB8Dj9WYuJ5bK89WNtCQw8XKlBIOUwUyYxU2X5bvIqQPRnOyBR62GaFDY3ER3gdCqVVwcW01cpBHk91cTPdZnWh5wnFTrQuUUA65FcbN8haNIY75OfCQmxxob+yPNJB1wqvTXcUXcF4lN7/7LVpy5jbaJDdWmIKhDPXumgb+pjNsN4VwsF5vbtkdXEDwfA9/BI2POyjlstbz1aYwvrLM6KlOFkE/2oq9r1IksMMg9RIHhAHX1vEDrmxGYdYmPF/mHpQzBu9vdgCUx2pR11vvShc7T2JxaZrsTB0eA4Zli6CayOjWJQILBGxt5btUJxNjKCAwTyaq87iY4CwtxB2jip"]}]}`)
 	orgThreeJwt  = []byte(`eyJhbGciOiJSUzI1NiIsImtpZCI6Ijg4Nzk4NzE1MzMxMzczMDg0NTkiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2tnYXRld2F5LmRldiIsInN1YiI6Imlnbm9yZUBrZ2F0ZXdheS5kZXYiLCJleHAiOjIwNzExNjM1NzgsIm5iZiI6MTc2MzU3OTU3OCwiaWF0IjoxNzYzNTc5NTc4fQ.IOrJpU5RY8uhU403MiwRuSa5u6SHAtTeGkTEzn9Hg1DH963AH0NAOMfhx4orSKYbqKhjCPfo-cpKpxizafKFP6j9Ln4Is8ycfk9oPC8Sor_GfhAsJuK3N8fC8mnhm5xQMGk9XErvn9ZY4FCXxpK8vUUMUNUhIsE_zKxJR_Wt6HQ43SGaxuLggR5ETbLvSMDESJEuUdeY_fB_5tYaAznYxOLJ4zp87gKeFPPmEqyzISnRgcEHpyev7BM88uRQGrvF34AiWZO2uDuDGv5zJF9dFm_HQ4-QPe7xEZPvj9w_mbSRQn_RilE2mXduXcU1t-XLxFUVmYj2poiAuUXpwLciXw`)
+
+	orgFourJwks = []byte(`{"keys":[{"use":"sig","kty":"RSA","kid":"292910025153196340","n":"pq97a9fOT8ycnVo_xREFh4TW3Fo-zM-tk5xOxWv2rXRz1fWauxrKdTNaX8FgqKy8Pt2Y7UaWQQRnUnalPARBcPbYShTzOf1GbzIhwgjPbUTtD0WzeVVHk9so76Ab95O2kfaKhpWEnne43g06LKXKQMqOOUttXGjL6YzJT0F59oo5N-Je--XEDtV_QCfb3Qh73QbRO29rw7SAJePse32gKYB7-F1IGZm_P8S7nEXqZ1ZwudBifyQ7KBiP6PsKhonWZRA_4ocSTIwADnsU1VUACxi1FaS2rYl16t6UzT-uzYdhaVWlcRcJblsM66TZPDLwGZxw9IFgx9QAsIeZ_YAcKw","e":"AQAB","x5c":["MIIC3jCCAcagAwIBAgIBWzANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQKEwxrZ2F0ZXdheS5kZXYwHhcNMjUxMjEyMjA1NjE5WhcNMjUxMjEyMjI1NjE5WjAXMRUwEwYDVQQKEwxrZ2F0ZXdheS5kZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmr3tr185PzJydWj/FEQWHhNbcWj7Mz62TnE7Fa/atdHPV9Zq7Gsp1M1pfwWCorLw+3ZjtRpZBBGdSdqU8BEFw9thKFPM5/UZvMiHCCM9tRO0PRbN5VUeT2yjvoBv3k7aR9oqGlYSed7jeDTospcpAyo45S21caMvpjMlPQXn2ijk34l775cQO1X9AJ9vdCHvdBtE7b2vDtIAl4+x7faApgHv4XUgZmb8/xLucRepnVnC50GJ/JDsoGI/o+wqGidZlED/ihxJMjAAOexTVVQALGLUVpLatiXXq3pTNP67Nh2FpVaVxFwluWwzrpNk8MvAZnHD0gWDH1ACwh5n9gBwrAgMBAAGjNTAzMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAfRX+g3QtPKqmejs+uu4r8x2g4cqU/KG7tqk/cAKIyiDLhlD2dJB47kcRMWmxvqEDamYROho/JPm8SJFPCMwNo9mVE0VcudYPbRkCn6yyKEGZFuimddQeL7KDoLLinbsDmGGXyEdHU/fPRi3zL8FlnCG1OWzSmevdq2p1HsNllJ9QdCiPEIgv0W9V0u+SxD0drMusF0jI/GUYRnbPniY7ieX0HDkdds5zmw1WNCV2gv1YZg2sUJll6BEEmy4TxmSu0+DzmjDbeqvs4HGJpzTDUvgwdTpawKyKlZaFcF6w7sZ41C6RTRDy903vaeDQBI8quP6iaUWBZ4ruJ41ns4l1+"]}]}`)
+	// "sub": "[email protected]",
+	orgFourJwt = []byte(`eyJhbGciOiJSUzI1NiIsImtpZCI6IjI5MjkxMDAyNTE1MzE5NjM0MCIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2tnYXRld2F5LmRldiIsInN1YiI6ImJvb21Aa2dhdGV3YXkuZGV2IiwiZXhwIjoyMDczMTU2OTc5LCJuYmYiOjE3NjU1NzI5NzksImlhdCI6MTc2NTU3Mjk3OX0.juMOUmoChZEE_AQVZv3jwtZjytWfzN23-palLXA-DIsSa4-f-lmf3CQiwXz0n1YlSY_dt3rGO6OsDdkYn8wkYEVoQVh11crJvZ5FhpIlZlROOSp03KTW2mQ1XwGYRxffzdzBv65LrFYWK0iNQH2NKfqOzVo5xt3SLTJuxIvCE8-qnqXUWrADw3b2TIzE7SgN7xXzeRGwTpgltq4BswdkB0R5g_1xtbrcdFgT533vt3nCiumhqrBkmk4g02x3L1iSjDCnnwJX2YLHYfpUN0i7SooguTkta067lwBiOi3NOTQjRBOBlZmkoj6sz4YNQ9EwsD74pkNBW9pN-__2cVPBxw`)
 )
diff --git a/hack/dummy-idp/dummy-idp.key b/hack/dummy-idp/dummy-idp.key
@@ -1,28 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCveFzIPXbf8b89
-On8VHtgEDabsGhm52K9Hv2/9nHIaEzrnl67undW2onVBI/IMhrkPQXL59dTyw3lw
-1KQwtDbPLbHJvPUxX5pYE8HDCinMpxgueJQeXjGjA3B0zMzAGKGy1afSFkoemPgW
-Gk3z9+RA31ZOim+pdLu1a/7es+AxVzassnVvN3NBuVr4Baxj6f2MIaUHrnp31fmZ
-ZhEFDUajlPxx/dfVe+eowV70rdSjGi1r4/HKeEfobWUJSTNYSEHttPIHl+i7NW/A
-rzKjZDb5gNMLJzr3/mbMGB0QS60iDuMaCi7rzKdalPhNBEB5VMTxXnleFXkrWmHC
-FGL3Q4f7AgMBAAECggEAN/sZ+sZlQRAi15lshuP2veBPI182WuzvCuBgDdTWMEx3
-TADADh+r2Z8d8oDRzb5Dl0LluCp+XE8R1PX6RhGQtOtan8aZoT1jg/sVo7B/4mti
-0xykAMZDZsMHozPdlOGm4OO6LVPwJK/f4klVGmM5XpsCMX+IHVOBOWGxiAJyIbsu
-Nadg0IXREomEIJK7p+kVAxBEYkWddIiCSJ5xfeLHPls1VG1FRzT+0Xq5MYih5BkM
-JYBmmm8Iofg/yJb0SMMW5JRWBzTK0gwni8s6qq+mLXWmuSNnqh7TwPwEUO3Cxg44
-QLxlXnMJn8lgthjPbxAGs+uSYWcwQbBc02p0EQe0KQKBgQDko2ifLJhXkGhFSCBZ
-qHF8I6TOumzicsVlP/tm1JXTrtPoEBdyIcMb+KTnUxTxfIOiFb9GtdYTLZW6xQEU
-nutAXezRK25drZtTlSEiTWvZFVAFO2Io+S5ZtOLi+N6lp7We49a5uvvjavJrjAAp
-b95zyrjK/VFdifXaRIG1ZcB9aQKBgQDEeBZ8myYdENRo8zt/n15El184Tpc/tAkb
-XEEjddrsIz6ekIeEclFwaRi00p4UYV2EA5tmx8u651zIcZAF/rnix1Kz4JDuAOlc
-+KEnBL81SIybHMzdq8smJmMO2NQSHSrKjsCtQDzb7INEUd9VaiiEOHoaCcqL1ZfA
-SUUhx+bZwwKBgQDg37+k3q2vYf7MNZZr2HpVyJDuKvmw94Uign13tBrwqoENO9Zz
-kLVfq3w1cMemg/rLzmvk1i+JiUo8+kqHx45GLpsfV4IjbP7ahFCkdlVem9Gqc6+l
-8P8fiAOnjXMepwbBEgI9hqT8FlH8aSQ3nSnD5V0/eUsvnuNKHBsfGMbsEQKBgDQ5
-q9iRsW72g1AmoAFLztYy2sfv9Dql0+nm+xW/BWPR9ppV1wA5FzbnaP7gIc9PFnm6
-L7wBjkFvsPVDYsKFNMp4q55PKpdpvJ7PJJ9nnqA+Wcn9vOOMACNy/s/6iV0LTc2s
-ZsFnGwZm93nYvaJJ5t1G2gZD5giHzZ/6mhrhtZbbAoGALWewB6J4CkCNAS0qJK85
-I6LrayNR7IcsaUKvLgaggg1FejZRPHkGECjsDfsGpcJAhAYZSBz6ToXODPdSCDJz
-A2hJwkkTrX6zaKDhkDXvVhiz0JB6win4CBnU/zKzf6PExraX+Vd+pWzdSxCBupDl
-TFwmV3iuItdcF82i2fBZlXk=
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCjw1ztiRA5a7li
+0AAmakMhaCU8PXVKWsvkHFa4Jw7/FCzPRcElaSIIk+/63qn1kLMlh/G4cmetEg9r
++gakXb1PHeRuy8444r+w9ZEZnaDNOax3lqxVqzLHd7U1WCHZA8LDqm/+P92F4c2b
+LSPDfSPZqkBX0dDmoY8Lm9X0KhpFOAJXTlhk4LJZSNGQ1fCA7gEZTkPGcrMS9msc
+VyeCKOHgzGersG3luSV7/2oy89xsfb6Vny5XzxwgeP2fhBK8P4OeTxDPH7byuYo0
+9vkD1C0na5Dv2IwclfSDzY2KLvSRHCNSj0NquFXI0FfN3XERQ8NdaOjITonFTcHU
+xQYmumkracVP37GGqGj4itDljmd0o7aDVT09e4HoeZF/uHk5s3Qv/YRYfqp3Ms3x
+3aJgRUJWpkOT84N54C6DZuSMpPzrlIC4PLIGH+3KGA8oM82oMcaU0Uu1cn8Ki5TG
+kW6gVK1/SB1aZ9ewqrbKyNYoWnb/auMHNzMbdq3U9Rn6RO8ggfzawMwntmVVpDZF
+/GW9LWg+/a/3WjgYGpB3/S/xKmE7IBjt7F4hext5W0aS8Dih4hz/WG0AnaIfGN6s
+xovQy5ZgyGkEobST1Jgm+7u5C/W1tkj0S/sx9mWOdufAmVp3QBntOsEFYC79GiO5
+K3vkn9WH2cUW8xOfeUwVkDv0UU9yOwIDAQABAoICADowdfm1ZT1yCKqSzCraQUZC
+klCIaf/kqWRBqZK/1jVO/ukbmRjo9X3kyzXyHqQyKWXhm0N161709uPgMLIA2P6e
+2YeBBaLy9zgy2b8nYnbp0l2f/VZngaCc6Zet3EEXdAJAspC+MsGazYshC/8vnSh/
+tWM/G6KHr6NpWSnsN+92imZpYUFfEiBlnol/a3j0mRFb3PtL0FOhmce1NEWsry5I
+k2HPTA1/r1ETHbJDMoSeXbUencH3xr/HHh+rN1kKnIMJBykB1OkEgpZ1V2BD6VOD
+hjmjUY3qvrqCtJNwQdi6DdcNLuBh5aF4Xmq5D68Zy/aKC4T5WzzvdztaUug5/poq
+4aBYjA2sx64MoqYbESDlX8ZsSyUmyEPu2qjm9AX4GV7XNr1t2Xl0sgmQBknEUfmP
+wivRVOmfCT3Kt1C3OCWo369Map0aQlbjpbDnRIuZXz3EcA0+wnpBoeAK/fIU5X6I
+8+XCIB2p/835cmH3QmwKXDsV6jupac2Uy7Fu5K8rd1UG9Ks/DDVM0zwsbNWwBshI
+50k0Jp1kV/dUYHJBpswRXmiEOdjFJo2YiKlCsPZac+ky3T+1k6aM4PItbQ/3KUta
+JBe8pIV0tVRouQ0++CYmttGK3Fkyti0EYztTv6SYOT4K/RAXHLUZ93x2rzCee1nX
+FgJSJYLzyf62mmzsIlFxAoIBAQDnP5npvvmbzLpcgVC2Z/jdCGzjHZ+/TXfhFwDI
+Vct9GcwgqmzIvMMKO+CvxNHi4EyChy3HcLOafS5T4z65PAixb5HqC1XhR0ol9bVD
+g4UUxVLBM9uA35aPxtSecL7x0Uo1AvHXP2MmEwOGlatZSGjvSiMkVPT0AUyVy0VI
+TMBhdMHYvmy2H++PEn1XzCoNRG4IzT5wIJos3O4SWxkKX6KbrfcZf/oF6GZyOgX5
+XOBgEyQK8swaQ1sLRsI6O3lQx1PelstaCGeDvKnqhlbziGdBO6VR4pNzrIt8bbls
+2OT0SF1rtWcutH50pVgIWxzNn1IiGRuRVigpX0TECuUXxQOjAoIBAQC1SpvIrD8k
+UaIu3/VvAoHOTU4l22XphoTEVcfy0lK3glcapiKro9CQLTZNfqSHbt666wxUaRrm
+HmuZkogUkqwE92bO5dxqwvAOGpYS01LQX2cdGaWQI0BFJmlTkU9ojzHe5DQxVChs
+9INclnvowv5WqCqo6Ue/OD7/KEtE7LYSGltvOuZI3ZXp888nm0FkZyKx5b6JxVVU
+tEdksbPsU4rn4S0JFSGnRS67u2PB96gCkZrwiRKco8TkzZAMKayTeYzb7osxksFv
+1rdXhv9ajt4Yve8yOpwUmWBC0hCu6JMUAfN+O5d2pnn0tzLooDBnUxuJp9riTt9v
+4g8GHRQ1pYCJAoIBAQDKtbUM8uzJx0BCINWI4EGGOIGC4ZAMWTNR7CEyfArB4iBP
+LjXoDZgHW4/NZIH8GFTZQvg9US0PqtY2kQiFxft01vGYsVEaBq0X83hu81Zwa7zs
+QbIUGWtZI5l0Pi8TuTwMlkU7Q4R9dsNrcb3fqRrbUCjYC2UilBT3ZlWYWDd39qqK
+ffq79+i+iR25He5q7OZr7sbh8aJU22ISUyrzLfxT7b6i6s1X6m4LiZN9EQ5bCcxZ
+kJacGxkvHFrcQxBIYELD53ngtWdQUsy8GgEUwCiLRWbZDf3ls4Yej+ywXrzs6paB
++WW2yl/jjqFJydzI3vVXkJza3SSdh7a3BznliT1zAoIBAFWQxT5Nre+iZ/3fzqN6
+d3G7ourTRqKVzwwrwJenFUtvxVTanPqN8t5ZuIuS/my9s3pdfhBJG10JdpehRYEQ
+SQh/DJMSgpoRL+Q4QCTagPfAT5a4iCAjwy3gF05OA0DCdTNSWh/+LKZgMa/9hrYx
+coHMFXZrxGVIUtNzXTNG1hhtQEKbdh1mGF+3p0p2SMLuur1kRi4YaVH1VMz94oHk
+XGddLDhhNOUSDiClLUxba3zq5EorKBGuajvjmd1jvgRNFmKnkCLxtULoANja6qL/
+U2wyGTeH2isOyRRAuYcUVnbXBOnLjo19vYn2/Zw2HyJlY1XxV6oAuAzCkXy9NNCt
+MKECggEAHjPG/8pCcuj5WDR+6tkpKVwzAamvYy8utTTcJvT5RRwXJW4lqDcqsSLv
+AOeJGlfXWBe0mQdHs9JpWCBIWOkoZepvjIbHHLWwyaZNqe/o0WoDonWFQZidMaP3
+I/DT4obwfYqkpCYksHXJgqTCMpQRIwR+aVUXF8kHiGFrAq9G4gMmiL3Cly9jwl6M
+FtYlmNF7g8il/2ehmIg+4bBkveV5L5sgB7VDC3ghHqzHsPJ47CZVX+lFLva1zcz+
+88nL2O8RAfEZ86H6RZ7SHZXLk+8T7ss2s4X/HHhY50ZoDoAyaxIXQ3nJGUhFZTkR
+L4GocbPxqGETwDmOZlQWwauXbbuxNw==
 -----END PRIVATE KEY-----
diff --git a/hack/utils/jwt/jwt-generator.go b/hack/utils/jwt/jwt-generator.go
@@ -33,14 +33,22 @@ func main() {
 		os.Exit(1)
 	}
 
-	jwt, err := generateJwt(kid, key)
+	jwt, err := generateJwt("[email protected]", kid, key)
+	if err != nil {
+		fmt.Printf("error generating jwt: %s", err.Error())
+		os.Exit(1)
+	}
+
+	jwt1, err := generateJwt("[email protected]", kid, key)
 	if err != nil {
 		fmt.Printf("error generating jwt: %s", err.Error())
 		os.Exit(1)
 	}
 
 	fmt.Printf("jwks: %s\n", string(serializedJwks))
-	fmt.Printf("jwt: %s\n", jwt)
+	fmt.Printf("jwt, sub: '[email protected]': %s\n", jwt)
+	fmt.Printf("jwt, sub: '[email protected]': %s\n", jwt1)
+
 }
 
 func generateJWKS(kid string) (*jose.JSONWebKeySet, *rsa.PrivateKey, error) {
@@ -86,10 +94,10 @@ func generateJWKS(kid string) (*jose.JSONWebKeySet, *rsa.PrivateKey, error) {
 	}, rsaKey, nil
 }
 
-func generateJwt(kid string, key *rsa.PrivateKey) (string, error) {
+func generateJwt(sub, kid string, key *rsa.PrivateKey) (string, error) {
 	token := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.RegisteredClaims{
 		Issuer:    "https://kgateway.dev",
-		Subject:   "[email protected]",
+		Subject:   sub,
 		IssuedAt:  jwt.NewNumericDate(time.Now()),
 		NotBefore: jwt.NewNumericDate(time.Now()),
 		ExpiresAt: jwt.NewNumericDate(time.Now().Add(85440 * time.Hour)), // 10 years