diff --git a/authorize/evaluator/opa/policy/headers.rego b/authorize/evaluator/opa/policy/headers.rego
index a22493fcd..4c1aed594 100644
--- a/authorize/evaluator/opa/policy/headers.rego
+++ b/authorize/evaluator/opa/policy/headers.rego
@@ -77,7 +77,7 @@ jwt_payload_aud := v if {
 	v := input.issuer
 } else := ""
 
-jwt_payload_iss := v if {
+jwt_payload_iss := concat("", ["https://", v, "/"]) if {
 	v := input.issuer
 } else := ""
 
@@ -201,6 +201,7 @@ set_request_headers := h if {
 		"pomerium.id_token": session_id_token,
 		"pomerium.access_token": session_access_token,
 		"pomerium.client_cert_fingerprint": client_cert_fingerprint,
+		"pomerium.jwt": signed_jwt,
 	}
 	h := [[header_name, header_value] |
 		some header_name
diff --git a/internal/controlplane/http.go b/internal/controlplane/http.go
index 840f42ab1..9c94f7c31 100644
--- a/internal/controlplane/http.go
+++ b/internal/controlplane/http.go
@@ -71,6 +71,7 @@ func (srv *Server) mountCommonEndpoints(root *mux.Router, cfg *config.Config) er
 	root.Handle("/.well-known/pomerium", handlers.WellKnownPomerium(authenticateURL))
 	root.Handle("/.well-known/pomerium/", handlers.WellKnownPomerium(authenticateURL))
 	root.Path("/.well-known/pomerium/jwks.json").Methods(http.MethodGet).Handler(handlers.JWKSHandler(signingKey))
+	root.Path("/.well-known/pomerium/openid-configuration").Methods(http.MethodGet).HandlerFunc(handlers.OpenidConfiguration)
 	root.Path(urlutil.HPKEPublicKeyPath).Methods(http.MethodGet).Handler(hpke_handlers.HPKEPublicKeyHandler(hpkePublicKey))
 	return nil
 }
diff --git a/internal/handlers/openid_configuration.go b/internal/handlers/openid_configuration.go
new file mode 100644
index 000000000..4916d73a4
--- /dev/null
+++ b/internal/handlers/openid_configuration.go
@@ -0,0 +1,17 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/url"
+
+	"github.com/pomerium/pomerium/internal/urlutil"
+)
+
+func OpenidConfiguration(w http.ResponseWriter, r *http.Request) {
+	u := urlutil.GetAbsoluteURL(r)
+	json.NewEncoder(w).Encode(map[string]string{
+		"issuer":   u.ResolveReference(&url.URL{Path: "/"}).String(),
+		"jwks_uri": u.ResolveReference(&url.URL{Path: "/.well-known/pomerium/jwks.json"}).String(),
+	})
+}