diff --git a/pkg/auth/oauthserver/metadata.go b/pkg/auth/oauthserver/metadata.go
index b5de358ec..88299ed1a 100644
--- a/pkg/auth/oauthserver/metadata.go
+++ b/pkg/auth/oauthserver/metadata.go
@@ -76,8 +76,9 @@ func getJSONWebKeys(publicKeys []rsa.PublicKey) (jwk.Set, error) {
 		if err != nil {
 			return nil, fmt.Errorf("failed to write public key. Error: %w", err)
 		}
-
-		err = key.Set(KeyMetadataPublicCert, &publicKey)
+		var localPublicKey rsa.PublicKey
+		localPublicKey = publicKey
+		err = key.Set(KeyMetadataPublicCert, &localPublicKey)
 		if err != nil {
 			return nil, fmt.Errorf("failed to write public key. Error: %w", err)
 		}
diff --git a/pkg/auth/oauthserver/metadata_test.go b/pkg/auth/oauthserver/metadata_test.go
new file mode 100644
index 000000000..401714225
--- /dev/null
+++ b/pkg/auth/oauthserver/metadata_test.go
@@ -0,0 +1,38 @@
+package oauthserver
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestGetJSONWebKeys(t *testing.T) {
+	newpriv, err := rsa.GenerateMultiPrimeKey(rand.Reader, 4, 128)
+	if err != nil {
+		t.Errorf("failed to generate key")
+	}
+	oldpriv, err := rsa.GenerateMultiPrimeKey(rand.Reader, 4, 128)
+	if err != nil {
+		t.Errorf("failed to generate key")
+	}
+	newKey := newpriv.PublicKey
+	oldKey := oldpriv.PublicKey
+	publicKeys := []rsa.PublicKey{newKey, oldKey}
+	keyset, err := getJSONWebKeys(publicKeys)
+	assert.Nil(t, err)
+	assert.NotNil(t, keyset)
+	oldJwkKey, exists := keyset.Get(1)
+	assert.True(t, exists)
+	oldpublicKey, exists := oldJwkKey.Get(KeyMetadataPublicCert)
+	op, ok := oldpublicKey.(*rsa.PublicKey)
+	assert.True(t, ok)
+	assert.Equal(t, &oldKey, op)
+	newJwkKey, exists := keyset.Get(0)
+	assert.True(t, exists)
+	newpublicKey, exists := newJwkKey.Get(KeyMetadataPublicCert)
+	np, ok := newpublicKey.(*rsa.PublicKey)
+	assert.True(t, ok)
+	assert.NotEqual(t, np, op)
+	assert.Equal(t, &newKey, np)
+}