diff --git a/CHANGES b/CHANGES
index b82d6392c..c3a5f01a3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3185,4 +3185,4 @@
 * update: add policy to update apps and platform separately
 * passkey: fix issue where passkeys were lost on restart
 * passkey: implement passwordless login
-
+* oidcserver: fix jwks_rsaonly response
diff --git a/src/oidcserver.js b/src/oidcserver.js
index a8c22fb5e..20dcea3df 100644
--- a/src/oidcserver.js
+++ b/src/oidcserver.js
@@ -31,6 +31,7 @@ import users from './users.js';
 import groups from './groups.js';
 import util from 'node:util';
 import Provider from 'oidc-provider';
+import oidcProviderWeakCache from 'oidc-provider/lib/helpers/weak_cache.js';
 import mailpasswords from './mailpasswords.js';
 
 const { log, trace } = logger('oidcserver');
@@ -822,14 +823,10 @@ async function start() {
     app.get (`${ROUTE_PREFIX}/interaction/:uid/abort`,               setNoCache,       interactionAbort);
 
     // cloudflare access has a bug that it cannot handle OKP key type. https://github.com/sebadob/rauthy/issues/1229#issuecomment-3610993452
-    app.get (`${ROUTE_PREFIX}/jwks_rsaonly`, setNoCache, async function (req, res) {
-        // previously (aff5e8f44d0c), we used to send response directly. but this was intricately linked to oidc-provider logic because of key.kid calculation
-        const [error, response] = await safe(superagent.get(`http://127.0.0.1:${constants.OIDC_PORT}${ROUTE_PREFIX}/jwks`));
-        if (error) return res.send(`Internal error: ${error?.message}`);
-        if (response.status !== 200) return res.send(`Internal error, unexpected status: ${response.status}`);
-        const jwksResponse = safe.JSON.parse(response.body.toString('utf8'));
-        const rsaKeys = jwksResponse?.keys?.filter(k => k.kty === 'RSA') || [];
-        res.set('content-type', req.get('content-type')); // application/jwk-set+json; charset=utf-8
+    app.get (`${ROUTE_PREFIX}/jwks_rsaonly`, setNoCache, function (req, res) {
+        const { keys } = oidcProviderWeakCache(gOidcProvider).jwks;
+        const rsaKeys = keys.filter(k => k.kty === 'RSA');
+        res.set('content-type', 'application/jwk-set+json; charset=utf-8');
         res.send({ keys: rsaKeys }); // https://github.com/panva/jose/discussions/654
     });