diff --git a/pkg/apis/feature/features.go b/pkg/apis/feature/features.go
index cfe379141d0..7491462492a 100644
--- a/pkg/apis/feature/features.go
+++ b/pkg/apis/feature/features.go
@@ -71,6 +71,9 @@ const (
 	// DefaultRequestReplyTimeout is a value for RequestReplyDefaultTimeout that indicates to timeout
 	// a RequestReply resource after 30 seconds by default.
 	DefaultRequestReplyTimeout Flag = "30s"
+
+	// DefaultJWKSURI is the default JWKS URI used in most Kubernetes clusters.
+	DefaultJWKSURI Flag = ""
 )
 
 // Flags is a map containing all the enabled/disabled flags for the experimental features.
@@ -90,6 +93,7 @@ func newDefaults() Flags {
 		AuthorizationDefaultMode:   AuthorizationAllowSameNamespace,
 		OIDCDiscoveryBaseURL:       DefaultOIDCDiscoveryBaseURL,
 		RequestReplyDefaultTimeout: DefaultRequestReplyTimeout,
+		JWKSURI:                    DefaultJWKSURI,
 	}
 }
 
@@ -169,6 +173,19 @@ func (e Flags) RequestReplyDefaultTimeout() string {
 	return string(timeout)
 }
 
+func (e Flags) JWKSURI() string {
+	if e == nil {
+		return string(DefaultJWKSURI)
+	}
+
+	jwksURI, ok := e[JWKSURI]
+	if !ok {
+		return string(DefaultJWKSURI)
+	}
+
+	return string(jwksURI)
+}
+
 func (e Flags) String() string {
 	return fmt.Sprintf("%+v", map[string]Flag(e))
 }
@@ -220,6 +237,8 @@ func NewFlagsConfigFromMap(data map[string]string) (Flags, error) {
 			flags[sanitizedKey] = AuthorizationAllowSameNamespace
 		} else if strings.Contains(k, NodeSelectorLabel) || sanitizedKey == OIDCDiscoveryBaseURL {
 			flags[sanitizedKey] = Flag(v)
+		} else if sanitizedKey == JWKSURI {
+			flags[sanitizedKey] = Flag(v)
 		} else {
 			flags[k] = Flag(v)
 			log.Printf("Warning: unknown feature flag value %q=%q\n", k, v)
diff --git a/pkg/apis/feature/features_test.go b/pkg/apis/feature/features_test.go
index 34d899d2209..2dfb3419d1e 100644
--- a/pkg/apis/feature/features_test.go
+++ b/pkg/apis/feature/features_test.go
@@ -63,6 +63,8 @@ func TestGetFlags(t *testing.T) {
 	require.Equal(t, expectedNodeSelector, nodeSelector)
 
 	require.Equal(t, flags.OIDCDiscoveryBaseURL(), "https://oidc.eks.eu-west-1.amazonaws.com/id/1")
+	
+	require.Equal(t, flags.JWKSURI(), "https://oidc.eks.eu-west-1.amazonaws.com/id/1/jwk")
 }
 
 func TestShouldNotOverrideDefaults(t *testing.T) {
diff --git a/pkg/apis/feature/flag_names.go b/pkg/apis/feature/flag_names.go
index ba163868c72..31031148387 100644
--- a/pkg/apis/feature/flag_names.go
+++ b/pkg/apis/feature/flag_names.go
@@ -30,4 +30,5 @@ const (
 	AuthorizationDefaultMode   = "default-authorization-mode"
 	OIDCDiscoveryBaseURL       = "oidc-discovery-base-url"
 	RequestReplyDefaultTimeout = "requestreply-default-timeout"
+	JWKSURI					   = "oidc-jwks-uri"
 )
diff --git a/pkg/apis/feature/testdata/config-features.yaml b/pkg/apis/feature/testdata/config-features.yaml
index bebbfea4b79..4b75baa80f0 100644
--- a/pkg/apis/feature/testdata/config-features.yaml
+++ b/pkg/apis/feature/testdata/config-features.yaml
@@ -30,3 +30,4 @@ data:
     apiserversources-nodeselector-testkey1: testvalue1
     apiserversources-nodeselector-testkey2: testvalue2
     oidc-discovery-base-url: "https://oidc.eks.eu-west-1.amazonaws.com/id/1"
+    oidc-jwks-uri: "https://oidc.eks.eu-west-1.amazonaws.com/id/1/jwk"
diff --git a/pkg/auth/verifier.go b/pkg/auth/verifier.go
index df5c9d402df..0cd2d6f65a2 100644
--- a/pkg/auth/verifier.go
+++ b/pkg/auth/verifier.go
@@ -329,6 +329,11 @@ func (v *Verifier) getKubernetesOIDCDiscovery(features feature.Flags, client *ht
 		return nil, fmt.Errorf("could not unmarshall openid config: %w", err)
 	}
 
+	// overwrite jwk uri if it is set in the feature flags
+	if features.JWKSURI() != "" {
+		openIdConfig.JWKSURI = features.JWKSURI()
+	}
+
 	return openIdConfig, nil
 }