In the SPIFFE world a workload can authenticate by calling the SPIRE Workload API to request an SVID. JWT SVIDs can be used for OIDC federation, since they comply with the ID token specs. RGW is not too far from supporting OIDC federation with JWT SVIDs, but some gaps need to be filled:
RGW assumes the presence of an optional x5c member in the signing key for token validation, and doesn’t support bare JWKs. SPIRE uses bare JWKs.
RGW doesn’t match the right signing key using the “kid” parameter, it picks the first certificate instead. Signing keys might be at any position in the keys JSON array returned by an OIDC discovery endpoint.