Having one OIDC provider and multiple APIs from third parties, how can I federate logins?

If I have an app which authenticates against one OIDC provider eg. Google but then uses the provided id- and access-token to make request against a 1. app-api and 2. a third-party-api using the tokens from before.

Is this possible how does this work where can I learn more? I know about OpenID Connect but only in a “single backend api flow”. I came across OpenID Federation but do not know if this is the standard. Can anybody help me out?

Last but not least how to I manage roles in this type of setup? Someone mentioned custom claims for this, as a property of the token but I could not really get a clue about this either.

In summary: How do I do enterprise authentication and access management having third party APIs but only one place to sign up and login?

Having one OIDC provider and multiple APIs from third parties, how can I federate logins?

If I have an app which authenticates against one OIDC provider eg. Google but then uses the provided id- and access-token to make request against a 1. app-api and 2. a third-party-api using the tokens from before.

Is this possible how does this work where can I learn more? I know about OpenID Connect but only in a “single backend api flow”. I came across OpenID Federation but do not know if this is the standard. Can anybody help me out?

Last but not least how to I manage roles in this type of setup? Someone mentioned custom claims for this, as a property of the token but I could not really get a clue about this either.

In summary: How do I do enterprise authentication and access management having third party APIs but only one place to sign up and login?

Ping Federate 8.2.2 .well-known/openid-configuration “jwks_uri” is missing keyset

I am creating a resource server that is using using ping federate 8.2.2 as as an authorization server to validate JSON Web Token’s upon certain requests. I am trying to validate the signature, so I planned on using .well-known/openid-configuration (https://example.com/.well-known/openid-configuration) to get the jwks_uri (i.e https://example.com/pf/JWKS) . I then request the data from this uri, and use the “kid” to find the correct keyset in the data. However, I found that my “kid” is not listed in the keyset list. I spoke to the administrator and he suggested using another uri (https://example.com/ext/pf/JWKS). The keyset showed up on this alternate URI. I proceeded to ask why it was not in the referenced .well-known/openid-configuration “jwks_uri”. He was not sure.

My question is, does anyone know how to make sure the keyset I am using is in the correct jwks_uri location?

Also, since I was not sure which message community to send this to, please let me know if this is incorrect. I will move it over to the correct community upon request