Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

When pulling JWKs and routing rules from cloud object storage, is there a way of specifying the cloud credentials in the Oathkeeper config or does Oathkeeper expect the files to be accessible without auth?

Yes, but not in the config of oathkeeper. For cloudstorage oathkeeper makes use of cloud provider specific configuration. Typically, there is a need for an active session to the cloud provider, except the storage object is exposed publicly. E.g. for AWS oathkeeper uses environment variables and config properties described in <https://docs.aws.amazon.com/sdk-for-go/api/aws/session/|https://docs.aws.amazon.com/sdk-for-go/api/aws/session/>

You can find more info under <https://gocloud.dev/howto/blob/|https://gocloud.dev/howto/blob/> as well as this is what oathkeeper is using to communicate with different cloud storage providers.