diff --git a/CHANGES b/CHANGES
index 9efb582ac..549e176a5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3098,4 +3098,4 @@
 * gcs: fix copy operation
 * restore: fix crash when trying to mount fs volumes
 * restore: teardown pseudo backup site
-
+* oidc: add separate jwks key route for cloudflare access
diff --git a/src/oidcserver.js b/src/oidcserver.js
index cd8ca3ceb..bf976a843 100644
--- a/src/oidcserver.js
+++ b/src/oidcserver.js
@@ -658,6 +658,19 @@ async function start() {
     app.post(`${ROUTE_PREFIX}/interaction/:uid/confirm`,  setNoCache, json, interactionConfirm);
     app.get (`${ROUTE_PREFIX}/interaction/:uid/abort`,    setNoCache,       interactionAbort);
 
+    // cloudflare access has a bug that it cannot handle OKP key type. https://github.com/sebadob/rauthy/issues/1229#issuecomment-3610993452
+    app.get (`${ROUTE_PREFIX}/jwks_rsaonly`, setNoCache, async function (req, res) {
+        // https://github.com/panva/jose/discussions/654
+        res.set('content-type', 'application/jwk-set+json; charset=utf-8');
+        const rsaKeys = jwksKeys.filter(k => k.kty === 'RSA').map(k => {
+            const tmp = { e: k.e, kty: k.kty, n: k.n }; // the ordering of fields matters here to produce a stable kid below!
+            tmp.kid = crypto.hash('sha256', JSON.stringify(tmp), 'base64url'); // from calculateKid of initialize_keystore.js . oidc-provider relies on kid!
+            tmp.use = 'sig';
+            return tmp;
+        });
+        res.send({ keys: rsaKeys });
+    });
+
     app.use(ROUTE_PREFIX, gOidcProvider.callback());
     app.use(middleware.lastMile());