diff --git a/package-lock.json b/package-lock.json
index 8658e7f19a..d69be84149 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -11322,6 +11322,16 @@
         "@types/node": "*"
       }
     },
+    "node_modules/@types/node-jose": {
+      "version": "1.1.13",
+      "resolved": "https://registry.npmjs.org/@types/node-jose/-/node-jose-1.1.13.tgz",
+      "integrity": "sha512-QjMd4yhwy1EvSToQn0YI3cD29YhyfxFwj7NecuymjLys2/P0FwxWnkgBlFxCai6Y3aBCe7rbwmqwJJawxlgcXw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/node": "*"
+      }
+    },
     "node_modules/@types/normalize-package-data": {
       "version": "2.4.4",
       "resolved": "https://registry.npmjs.org/@types/normalize-package-data/-/normalize-package-data-2.4.4.tgz",
@@ -26948,6 +26958,7 @@
       "version": "2.2.0",
       "resolved": "https://registry.npmjs.org/node-jose/-/node-jose-2.2.0.tgz",
       "integrity": "sha512-XPCvJRr94SjLrSIm4pbYHKLEaOsDvJCpyFw/6V/KK/IXmyZ6SFBzAUDO9HQf4DB/nTEFcRGH87mNciOP23kFjw==",
+      "license": "Apache-2.0",
       "dependencies": {
         "base64url": "^3.0.1",
         "buffer": "^6.0.3",
@@ -43742,6 +43753,7 @@
         "moment": "^2.29.3",
         "moment-timezone": "^0.5.34",
         "node-fetch": "^2.6.6",
+        "node-jose": "^2.2.0",
         "otplib": "^12.0.1",
         "passport-apple": "^2.0.1",
         "passport-auth0": "^1.4.4",
@@ -43768,6 +43780,7 @@
         "@types/node": "^18.11.9",
         "@types/node-fetch": "^2.6.1",
         "@types/node-forge": "^1.3.4",
+        "@types/node-jose": "^1.1.13",
         "@types/passport-apple": "^1.1.1",
         "@types/passport-auth0": "^1.0.9",
         "@types/passport-azure-ad": "^4.3.1",
diff --git a/services/authentication-service/.env.defaults b/services/authentication-service/.env.defaults
index 26a0bdd8e9..3e85300184 100644
--- a/services/authentication-service/.env.defaults
+++ b/services/authentication-service/.env.defaults
@@ -61,4 +61,6 @@ AZURE_AUTH_COOKIE_KEY=
 
 #iv is 12 bit
 
-AZURE_AUTH_COOKIE_IV=
\ No newline at end of file
+AZURE_AUTH_COOKIE_IV=
+
+MAX_JWT_KEYS=2
\ No newline at end of file
diff --git a/services/authentication-service/.env.example b/services/authentication-service/.env.example
index 3d351f2665..485162a606 100644
--- a/services/authentication-service/.env.example
+++ b/services/authentication-service/.env.example
@@ -83,3 +83,5 @@ AUTH0_DOMAIN=
 AUTH0_CLIENT_ID=
 AUTH0_CLIENT_SECRET=
 AUTH0_CALLBACK_URL=
+
+MAX_JWT_KEYS=
diff --git a/services/authentication-service/migrations/mysql/migrations/20241105074844-add-jwt-keys-schema.js b/services/authentication-service/migrations/mysql/migrations/20241105074844-add-jwt-keys-schema.js
new file mode 100644
index 0000000000..b1ebc0e60c
--- /dev/null
+++ b/services/authentication-service/migrations/mysql/migrations/20241105074844-add-jwt-keys-schema.js
@@ -0,0 +1,59 @@
+'use strict';
+
+var dbm;
+var type;
+var seed;
+var fs = require('fs');
+var path = require('path');
+var Promise;
+
+/**
+ * We receive the dbmigrate dependency from dbmigrate initially.
+ * This enables us to not have to rely on NODE_PATH.
+ */
+exports.setup = function (options, seedLink) {
+  dbm = options.dbmigrate;
+  type = dbm.dataType;
+  seed = seedLink;
+  Promise = options.Promise;
+};
+
+exports.up = function (db) {
+  var filePath = path.join(
+    __dirname,
+    'sqls',
+    '20241105074844-add-jwt-keys-schema-up.sql',
+  );
+  return new Promise(function (resolve, reject) {
+    fs.readFile(filePath, {encoding: 'utf-8'}, function (err, data) {
+      if (err) return reject(err);
+      console.log('received data: ' + data);
+
+      resolve(data);
+    });
+  }).then(function (data) {
+    return db.runSql(data);
+  });
+};
+
+exports.down = function (db) {
+  var filePath = path.join(
+    __dirname,
+    'sqls',
+    '20241105074844-add-jwt-keys-schema-down.sql',
+  );
+  return new Promise(function (resolve, reject) {
+    fs.readFile(filePath, {encoding: 'utf-8'}, function (err, data) {
+      if (err) return reject(err);
+      console.log('received data: ' + data);
+
+      resolve(data);
+    });
+  }).then(function (data) {
+    return db.runSql(data);
+  });
+};
+
+exports._meta = {
+  version: 1,
+};
diff --git a/services/authentication-service/migrations/mysql/migrations/sqls/20241105074844-add-jwt-keys-schema-down.sql b/services/authentication-service/migrations/mysql/migrations/sqls/20241105074844-add-jwt-keys-schema-down.sql
new file mode 100644
index 0000000000..fbcccb9d0c
--- /dev/null
+++ b/services/authentication-service/migrations/mysql/migrations/sqls/20241105074844-add-jwt-keys-schema-down.sql
@@ -0,0 +1 @@
+DROP TABLE main.jwt_keys;
diff --git a/services/authentication-service/migrations/mysql/migrations/sqls/20241105074844-add-jwt-keys-schema-up.sql b/services/authentication-service/migrations/mysql/migrations/sqls/20241105074844-add-jwt-keys-schema-up.sql
new file mode 100644
index 0000000000..7a3e493c39
--- /dev/null
+++ b/services/authentication-service/migrations/mysql/migrations/sqls/20241105074844-add-jwt-keys-schema-up.sql
@@ -0,0 +1,7 @@
+CREATE TABLE main.jwt_keys (
+    id INT AUTO_INCREMENT PRIMARY KEY,
+    key_id VARCHAR(100) UNIQUE NOT NULL,
+    public_key TEXT NOT NULL,                -- Public key in PEM format
+    private_key TEXT NOT NULL,               -- Private key in PEM format
+    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+);
diff --git a/services/authentication-service/migrations/pg/migrations/20241105074844-add-jwt-keys-schema.js b/services/authentication-service/migrations/pg/migrations/20241105074844-add-jwt-keys-schema.js
new file mode 100644
index 0000000000..b1ebc0e60c
--- /dev/null
+++ b/services/authentication-service/migrations/pg/migrations/20241105074844-add-jwt-keys-schema.js
@@ -0,0 +1,59 @@
+'use strict';
+
+var dbm;
+var type;
+var seed;
+var fs = require('fs');
+var path = require('path');
+var Promise;
+
+/**
+ * We receive the dbmigrate dependency from dbmigrate initially.
+ * This enables us to not have to rely on NODE_PATH.
+ */
+exports.setup = function (options, seedLink) {
+  dbm = options.dbmigrate;
+  type = dbm.dataType;
+  seed = seedLink;
+  Promise = options.Promise;
+};
+
+exports.up = function (db) {
+  var filePath = path.join(
+    __dirname,
+    'sqls',
+    '20241105074844-add-jwt-keys-schema-up.sql',
+  );
+  return new Promise(function (resolve, reject) {
+    fs.readFile(filePath, {encoding: 'utf-8'}, function (err, data) {
+      if (err) return reject(err);
+      console.log('received data: ' + data);
+
+      resolve(data);
+    });
+  }).then(function (data) {
+    return db.runSql(data);
+  });
+};
+
+exports.down = function (db) {
+  var filePath = path.join(
+    __dirname,
+    'sqls',
+    '20241105074844-add-jwt-keys-schema-down.sql',
+  );
+  return new Promise(function (resolve, reject) {
+    fs.readFile(filePath, {encoding: 'utf-8'}, function (err, data) {
+      if (err) return reject(err);
+      console.log('received data: ' + data);
+
+      resolve(data);
+    });
+  }).then(function (data) {
+    return db.runSql(data);
+  });
+};
+
+exports._meta = {
+  version: 1,
+};
diff --git a/services/authentication-service/migrations/pg/migrations/sqls/20241105074844-add-jwt-keys-schema-down.sql b/services/authentication-service/migrations/pg/migrations/sqls/20241105074844-add-jwt-keys-schema-down.sql
new file mode 100644
index 0000000000..fbcccb9d0c
--- /dev/null
+++ b/services/authentication-service/migrations/pg/migrations/sqls/20241105074844-add-jwt-keys-schema-down.sql
@@ -0,0 +1 @@
+DROP TABLE main.jwt_keys;
diff --git a/services/authentication-service/migrations/pg/migrations/sqls/20241105074844-add-jwt-keys-schema-up.sql b/services/authentication-service/migrations/pg/migrations/sqls/20241105074844-add-jwt-keys-schema-up.sql
new file mode 100644
index 0000000000..ba3615437c
--- /dev/null
+++ b/services/authentication-service/migrations/pg/migrations/sqls/20241105074844-add-jwt-keys-schema-up.sql
@@ -0,0 +1,7 @@
+CREATE TABLE main.jwt_keys (
+    id SERIAL PRIMARY KEY,
+    key_id VARCHAR(100) UNIQUE NOT NULL,
+    public_key TEXT NOT NULL,                -- Public key in PEM format
+    private_key TEXT NOT NULL,               -- Private key in PEM format
+    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+);
\ No newline at end of file
diff --git a/services/authentication-service/openapi.json b/services/authentication-service/openapi.json
index 563a06a49d..9c15beb84a 100644
--- a/services/authentication-service/openapi.json
+++ b/services/authentication-service/openapi.json
@@ -752,7 +752,7 @@
         ],
         "responses": {
           "200": {
-            "description": "Google Token Response,\n         (Deprecated: Possible security issue if secret is passed via query params, \n          please use the post endpoint)",
+            "description": "Google Token Response,\n         (Deprecated: Possible security issue if secret is passed via query params,\n          please use the post endpoint)",
             "content": {
               "application/json": {
                 "schema": {
@@ -1720,6 +1720,200 @@
         "operationId": "IdentityServerController.connectAuth"
       }
     },
+    "/connect/endsession": {
+      "post": {
+        "x-controller-name": "IdentityServerController",
+        "x-operation-name": "logout",
+        "tags": [
+          "IdentityServerController"
+        ],
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
+        "description": "To logout",
+        "responses": {
+          "200": {
+            "description": "Success Response",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/SuccessResponse"
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "The syntax of the request entity is incorrect."
+          },
+          "401": {
+            "description": "Invalid Credentials."
+          },
+          "404": {
+            "description": "The entity requested does not exist."
+          },
+          "422": {
+            "description": "The syntax of the request entity is incorrect"
+          }
+        },
+        "parameters": [
+          {
+            "name": "Authorization",
+            "in": "header",
+            "schema": {
+              "type": "string"
+            },
+            "description": "This is the access token which is required to authenticate user."
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/AuthRefreshTokenRequestPartial"
+              }
+            }
+          },
+          "x-parameter-index": 1
+        },
+        "operationId": "IdentityServerController.logout"
+      }
+    },
+    "/connect/get-keys": {
+      "post": {
+        "x-controller-name": "IdentityServerController",
+        "x-operation-name": "getKeys",
+        "tags": [
+          "IdentityServerController"
+        ],
+        "description": "Get the public keys",
+        "responses": {
+          "200": {
+            "description": "JWKS Keys"
+          },
+          "400": {
+            "description": "The syntax of the request entity is incorrect."
+          },
+          "401": {
+            "description": "Invalid Credentials."
+          },
+          "404": {
+            "description": "The entity requested does not exist."
+          },
+          "422": {
+            "description": "The syntax of the request entity is incorrect"
+          }
+        },
+        "operationId": "IdentityServerController.getKeys"
+      }
+    },
+    "/connect/rotate-keys": {
+      "post": {
+        "x-controller-name": "IdentityServerController",
+        "x-operation-name": "generateKeys",
+        "tags": [
+          "IdentityServerController"
+        ],
+        "description": "Generate the set of public and private keys",
+        "responses": {
+          "200": {
+            "description": "JWKS Keys"
+          },
+          "400": {
+            "description": "The syntax of the request entity is incorrect."
+          },
+          "401": {
+            "description": "Invalid Credentials."
+          },
+          "404": {
+            "description": "The entity requested does not exist."
+          },
+          "422": {
+            "description": "The syntax of the request entity is incorrect"
+          }
+        },
+        "operationId": "IdentityServerController.generateKeys"
+      }
+    },
+    "/connect/token": {
+      "post": {
+        "x-controller-name": "IdentityServerController",
+        "x-operation-name": "getToken",
+        "tags": [
+          "IdentityServerController"
+        ],
+        "description": "Send the code received from the POST /auth/login api and get refresh token and access token (webapps)",
+        "responses": {
+          "200": {
+            "description": "Token Response",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/TokenResponse"
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "The syntax of the request entity is incorrect."
+          },
+          "401": {
+            "description": "Invalid Credentials."
+          },
+          "404": {
+            "description": "The entity requested does not exist."
+          },
+          "422": {
+            "description": "The syntax of the request entity is incorrect"
+          }
+        },
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/AuthTokenRequest"
+              }
+            }
+          }
+        },
+        "operationId": "IdentityServerController.getToken"
+      }
+    },
+    "/connect/userinfo": {
+      "get": {
+        "x-controller-name": "IdentityServerController",
+        "x-operation-name": "me",
+        "tags": [
+          "IdentityServerController"
+        ],
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
+        "description": "To get the user details",
+        "responses": {
+          "200": {
+            "description": "User Object",
+            "content": {}
+          },
+          "400": {
+            "description": "The syntax of the request entity is incorrect."
+          },
+          "401": {
+            "description": "Invalid Credentials."
+          },
+          "404": {
+            "description": "The entity requested does not exist."
+          },
+          "422": {
+            "description": "The syntax of the request entity is incorrect"
+          }
+        },
+        "operationId": "IdentityServerController.me"
+      }
+    },
     "/google/logout": {
       "post": {
         "x-controller-name": "LogoutController",
@@ -2671,6 +2865,21 @@
         ],
         "additionalProperties": false
       },
+      "AuthRefreshTokenRequestPartial": {
+        "title": "AuthRefreshTokenRequestPartial",
+        "type": "object",
+        "description": "(tsType: Partial<AuthRefreshTokenRequest>, schemaOptions: { partial: true })",
+        "properties": {
+          "refreshToken": {
+            "type": "string"
+          },
+          "tenantId": {
+            "type": "string"
+          }
+        },
+        "additionalProperties": false,
+        "x-typescript-type": "Partial<AuthRefreshTokenRequest>"
+      },
       "loopback.Count": {
         "type": "object",
         "title": "loopback.Count",
diff --git a/services/authentication-service/openapi.md b/services/authentication-service/openapi.md
index afdb350d34..3a59b53cb7 100644
--- a/services/authentication-service/openapi.md
+++ b/services/authentication-service/openapi.md
@@ -201,6 +201,389 @@ auth_method: string
 This operation does not require authentication
 </aside>
 
+## IdentityServerController.logout
+
+<a id="opIdIdentityServerController.logout"></a>
+
+> Code samples
+
+```javascript
+const inputBody = '{
+  "refreshToken": "string",
+  "tenantId": "string"
+}';
+const headers = {
+  'Content-Type':'application/json',
+  'Accept':'application/json',
+  'Authorization':'string'
+};
+
+fetch('/connect/endsession',
+{
+  method: 'POST',
+  body: inputBody,
+  headers: headers
+})
+.then(function(res) {
+    return res.json();
+}).then(function(body) {
+    console.log(body);
+});
+
+```
+
+```javascript--nodejs
+const fetch = require('node-fetch');
+const inputBody = {
+  "refreshToken": "string",
+  "tenantId": "string"
+};
+const headers = {
+  'Content-Type':'application/json',
+  'Accept':'application/json',
+  'Authorization':'string'
+};
+
+fetch('/connect/endsession',
+{
+  method: 'POST',
+  body: JSON.stringify(inputBody),
+  headers: headers
+})
+.then(function(res) {
+    return res.json();
+}).then(function(body) {
+    console.log(body);
+});
+
+```
+
+`POST /connect/endsession`
+
+To logout
+
+> Body parameter
+
+```json
+{
+  "refreshToken": "string",
+  "tenantId": "string"
+}
+```
+
+<h3 id="identityservercontroller.logout-parameters">Parameters</h3>
+
+|Name|In|Type|Required|Description|
+|---|---|---|---|---|
+|Authorization|header|string|false|This is the access token which is required to authenticate user.|
+|body|body|[AuthRefreshTokenRequestPartial](#schemaauthrefreshtokenrequestpartial)|false|none|
+
+> Example responses
+
+> 200 Response
+
+```json
+{
+  "success": true
+}
+```
+
+<h3 id="identityservercontroller.logout-responses">Responses</h3>
+
+|Status|Meaning|Description|Schema|
+|---|---|---|---|
+|200|[OK](https://tools.ietf.org/html/rfc7231#section-6.3.1)|Success Response|[SuccessResponse](#schemasuccessresponse)|
+|400|[Bad Request](https://tools.ietf.org/html/rfc7231#section-6.5.1)|The syntax of the request entity is incorrect.|None|
+|401|[Unauthorized](https://tools.ietf.org/html/rfc7235#section-3.1)|Invalid Credentials.|None|
+|404|[Not Found](https://tools.ietf.org/html/rfc7231#section-6.5.4)|The entity requested does not exist.|None|
+|422|[Unprocessable Entity](https://tools.ietf.org/html/rfc2518#section-10.3)|The syntax of the request entity is incorrect|None|
+
+<aside class="warning">
+To perform this operation, you must be authenticated by means of one of the following methods:
+HTTPBearer
+</aside>
+
+## IdentityServerController.getKeys
+
+<a id="opIdIdentityServerController.getKeys"></a>
+
+> Code samples
+
+```javascript
+
+fetch('/connect/get-keys',
+{
+  method: 'POST'
+
+})
+.then(function(res) {
+    return res.json();
+}).then(function(body) {
+    console.log(body);
+});
+
+```
+
+```javascript--nodejs
+const fetch = require('node-fetch');
+
+fetch('/connect/get-keys',
+{
+  method: 'POST'
+
+})
+.then(function(res) {
+    return res.json();
+}).then(function(body) {
+    console.log(body);
+});
+
+```
+
+`POST /connect/get-keys`
+
+Get the public keys
+
+<h3 id="identityservercontroller.getkeys-responses">Responses</h3>
+
+|Status|Meaning|Description|Schema|
+|---|---|---|---|
+|200|[OK](https://tools.ietf.org/html/rfc7231#section-6.3.1)|JWKS Keys|None|
+|400|[Bad Request](https://tools.ietf.org/html/rfc7231#section-6.5.1)|The syntax of the request entity is incorrect.|None|
+|401|[Unauthorized](https://tools.ietf.org/html/rfc7235#section-3.1)|Invalid Credentials.|None|
+|404|[Not Found](https://tools.ietf.org/html/rfc7231#section-6.5.4)|The entity requested does not exist.|None|
+|422|[Unprocessable Entity](https://tools.ietf.org/html/rfc2518#section-10.3)|The syntax of the request entity is incorrect|None|
+
+<aside class="success">
+This operation does not require authentication
+</aside>
+
+## IdentityServerController.generateKeys
+
+<a id="opIdIdentityServerController.generateKeys"></a>
+
+> Code samples
+
+```javascript
+
+fetch('/connect/rotate-keys',
+{
+  method: 'POST'
+
+})
+.then(function(res) {
+    return res.json();
+}).then(function(body) {
+    console.log(body);
+});
+
+```
+
+```javascript--nodejs
+const fetch = require('node-fetch');
+
+fetch('/connect/rotate-keys',
+{
+  method: 'POST'
+
+})
+.then(function(res) {
+    return res.json();
+}).then(function(body) {
+    console.log(body);
+});
+
+```
+
+`POST /connect/rotate-keys`
+
+Generate the set of public and private keys
+
+<h3 id="identityservercontroller.generatekeys-responses">Responses</h3>
+
+|Status|Meaning|Description|Schema|
+|---|---|---|---|
+|200|[OK](https://tools.ietf.org/html/rfc7231#section-6.3.1)|JWKS Keys|None|
+|400|[Bad Request](https://tools.ietf.org/html/rfc7231#section-6.5.1)|The syntax of the request entity is incorrect.|None|
+|401|[Unauthorized](https://tools.ietf.org/html/rfc7235#section-3.1)|Invalid Credentials.|None|
+|404|[Not Found](https://tools.ietf.org/html/rfc7231#section-6.5.4)|The entity requested does not exist.|None|
+|422|[Unprocessable Entity](https://tools.ietf.org/html/rfc2518#section-10.3)|The syntax of the request entity is incorrect|None|
+
+<aside class="success">
+This operation does not require authentication
+</aside>
+
+## IdentityServerController.getToken
+
+<a id="opIdIdentityServerController.getToken"></a>
+
+> Code samples
+
+```javascript
+const inputBody = '{
+  "code": "string",
+  "clientId": "string"
+}';
+const headers = {
+  'Content-Type':'application/json',
+  'Accept':'application/json'
+};
+
+fetch('/connect/token',
+{
+  method: 'POST',
+  body: inputBody,
+  headers: headers
+})
+.then(function(res) {
+    return res.json();
+}).then(function(body) {
+    console.log(body);
+});
+
+```
+
+```javascript--nodejs
+const fetch = require('node-fetch');
+const inputBody = {
+  "code": "string",
+  "clientId": "string"
+};
+const headers = {
+  'Content-Type':'application/json',
+  'Accept':'application/json'
+};
+
+fetch('/connect/token',
+{
+  method: 'POST',
+  body: JSON.stringify(inputBody),
+  headers: headers
+})
+.then(function(res) {
+    return res.json();
+}).then(function(body) {
+    console.log(body);
+});
+
+```
+
+`POST /connect/token`
+
+Send the code received from the POST /auth/login api and get refresh token and access token (webapps)
+
+> Body parameter
+
+```json
+{
+  "code": "string",
+  "clientId": "string"
+}
+```
+
+<h3 id="identityservercontroller.gettoken-parameters">Parameters</h3>
+
+|Name|In|Type|Required|Description|
+|---|---|---|---|---|
+|body|body|[AuthTokenRequest](#schemaauthtokenrequest)|false|none|
+
+> Example responses
+
+> 200 Response
+
+```json
+{
+  "accessToken": "string",
+  "refreshToken": "string",
+  "expires": 0,
+  "pubnubToken": "string"
+}
+```
+
+<h3 id="identityservercontroller.gettoken-responses">Responses</h3>
+
+|Status|Meaning|Description|Schema|
+|---|---|---|---|
+|200|[OK](https://tools.ietf.org/html/rfc7231#section-6.3.1)|Token Response|[TokenResponse](#schematokenresponse)|
+|400|[Bad Request](https://tools.ietf.org/html/rfc7231#section-6.5.1)|The syntax of the request entity is incorrect.|None|
+|401|[Unauthorized](https://tools.ietf.org/html/rfc7235#section-3.1)|Invalid Credentials.|None|
+|404|[Not Found](https://tools.ietf.org/html/rfc7231#section-6.5.4)|The entity requested does not exist.|None|
+|422|[Unprocessable Entity](https://tools.ietf.org/html/rfc2518#section-10.3)|The syntax of the request entity is incorrect|None|
+
+<aside class="success">
+This operation does not require authentication
+</aside>
+
+## IdentityServerController.me
+
+<a id="opIdIdentityServerController.me"></a>
+
+> Code samples
+
+```javascript
+
+const headers = {
+  'Authorization':'Bearer {access-token}'
+};
+
+fetch('/connect/userinfo',
+{
+  method: 'GET',
+
+  headers: headers
+})
+.then(function(res) {
+    return res.json();
+}).then(function(body) {
+    console.log(body);
+});
+
+```
+
+```javascript--nodejs
+const fetch = require('node-fetch');
+
+const headers = {
+  'Authorization':'Bearer {access-token}'
+};
+
+fetch('/connect/userinfo',
+{
+  method: 'GET',
+
+  headers: headers
+})
+.then(function(res) {
+    return res.json();
+}).then(function(body) {
+    console.log(body);
+});
+
+```
+
+`GET /connect/userinfo`
+
+To get the user details
+
+> Example responses
+
+<h3 id="identityservercontroller.me-responses">Responses</h3>
+
+|Status|Meaning|Description|Schema|
+|---|---|---|---|
+|200|[OK](https://tools.ietf.org/html/rfc7231#section-6.3.1)|User Object|None|
+|400|[Bad Request](https://tools.ietf.org/html/rfc7231#section-6.5.1)|The syntax of the request entity is incorrect.|None|
+|401|[Unauthorized](https://tools.ietf.org/html/rfc7235#section-3.1)|Invalid Credentials.|None|
+|404|[Not Found](https://tools.ietf.org/html/rfc7231#section-6.5.4)|The entity requested does not exist.|None|
+|422|[Unprocessable Entity](https://tools.ietf.org/html/rfc2518#section-10.3)|The syntax of the request entity is incorrect|None|
+
+<h3 id="identityservercontroller.me-responseschema">Response Schema</h3>
+
+<aside class="warning">
+To perform this operation, you must be authenticated by means of one of the following methods:
+HTTPBearer
+</aside>
+
 <h1 id="authentication-service-loginactivitycontroller">LoginActivityController</h1>
 
 ## LoginActivityController.getActiveUsers
@@ -3114,7 +3497,7 @@ fetch('/auth/google',
 |Status|Meaning|Description|Schema|
 |---|---|---|---|
 |200|[OK](https://tools.ietf.org/html/rfc7231#section-6.3.1)|Google Token Response,
-         (Deprecated: Possible security issue if secret is passed via query params, 
+         (Deprecated: Possible security issue if secret is passed via query params,
           please use the post endpoint)|[TokenResponse](#schematokenresponse)|
 
 <aside class="success">
@@ -5166,6 +5549,30 @@ IdpAuthRequest
 |client_secret|string|true|none|This property is supposed to be a string and is a required field|
 |auth_method|string|true|none|This property is supposed to be a string and is a required field|
 
+<h2 id="tocS_AuthRefreshTokenRequestPartial">AuthRefreshTokenRequestPartial</h2>
+<!-- backwards compatibility -->
+<a id="schemaauthrefreshtokenrequestpartial"></a>
+<a id="schema_AuthRefreshTokenRequestPartial"></a>
+<a id="tocSauthrefreshtokenrequestpartial"></a>
+<a id="tocsauthrefreshtokenrequestpartial"></a>
+
+```json
+{
+  "refreshToken": "string",
+  "tenantId": "string"
+}
+
+```
+
+AuthRefreshTokenRequestPartial
+
+### Properties
+
+|Name|Type|Required|Restrictions|Description|
+|---|---|---|---|---|
+|refreshToken|string|false|none|none|
+|tenantId|string|false|none|none|
+
 <h2 id="tocS_loopback.Count">loopback.Count</h2>
 <!-- backwards compatibility -->
 <a id="schemaloopback.count"></a>
diff --git a/services/authentication-service/package.json b/services/authentication-service/package.json
index 0589fe2be8..a7851f5c79 100644
--- a/services/authentication-service/package.json
+++ b/services/authentication-service/package.json
@@ -25,7 +25,6 @@
     }
   },
   "scripts": {
-    "start": "node -r source-map-support/register .",
     "prebuild": "npm run clean",
     "build": "lb-tsc && npm run openapi-spec && npm run apidocs",
     "build:watch": "lb-tsc --watch",
@@ -95,6 +94,7 @@
     "moment": "^2.29.3",
     "moment-timezone": "^0.5.34",
     "node-fetch": "^2.6.6",
+    "node-jose": "^2.2.0",
     "otplib": "^12.0.1",
     "passport-apple": "^2.0.1",
     "passport-auth0": "^1.4.4",
@@ -121,6 +121,7 @@
     "@types/node": "^18.11.9",
     "@types/node-fetch": "^2.6.1",
     "@types/node-forge": "^1.3.4",
+    "@types/node-jose": "^1.1.13",
     "@types/passport-apple": "^1.1.1",
     "@types/passport-auth0": "^1.0.9",
     "@types/passport-azure-ad": "^4.3.1",
diff --git a/services/authentication-service/src/component.ts b/services/authentication-service/src/component.ts
index 9647651bed..42c3ce92fc 100644
--- a/services/authentication-service/src/component.ts
+++ b/services/authentication-service/src/component.ts
@@ -81,6 +81,8 @@ import {
   InstagramOauth2SignupProvider,
   InstagramPostVerifyProvider,
   InstagramPreVerifyProvider,
+  JwksJWTAsymmetricSignerProvider,
+  JwksJWTAsymmetricVerifierProvider,
   JWTAsymmetricSignerProvider,
   JWTAsymmetricVerifierProvider,
   JwtPayloadProvider,
@@ -369,6 +371,14 @@ export class AuthenticationServiceComponent implements Component {
       this.providers[AuthCodeBindings.JWT_VERIFIER.key] =
         JWTSymmetricVerifierProvider;
     }
+
+    if (this.authConfig?.useIdentityServer) {
+      this.providers[AuthCodeBindings.JWT_SIGNER.key] =
+        JwksJWTAsymmetricSignerProvider;
+      this.providers[AuthCodeBindings.JWT_VERIFIER.key] =
+        JwksJWTAsymmetricVerifierProvider;
+    }
+
     this.providers[AuthServiceBindings.JWTPayloadProvider.key] =
       JwtPayloadProvider;
     this.providers[AuthServiceBindings.ForgotPasswordHandler.key] =
diff --git a/services/authentication-service/src/models/index.ts b/services/authentication-service/src/models/index.ts
index 80fa95edd4..dea77092e2 100644
--- a/services/authentication-service/src/models/index.ts
+++ b/services/authentication-service/src/models/index.ts
@@ -7,6 +7,7 @@ import {AuthClient} from './auth-client.model';
 import {AuthSecureClient} from './auth-secure-client.model';
 import {ForgetPasswordDto} from './forget-password-dto.model';
 import {ForgetPasswordResponseDto} from './forget-password-response-dto.model';
+import {JwtKeys} from './jwt-keys.model';
 import {LocalUserProfileDto} from './local-user-profile';
 import {LoginActivity} from './login-activity.model';
 import {OtpCache} from './otp-cache.model';
@@ -34,6 +35,7 @@ export * from './auth-client.model';
 export * from './auth-secure-client.model';
 export * from './forget-password-dto.model';
 export * from './forget-password-response-dto.model';
+export * from './jwt-keys.model';
 export * from './local-user-profile';
 export * from './login-activity.model';
 export * from './otp-cache.model';
@@ -81,4 +83,5 @@ export const models = [
   LocalUserProfileDto,
   LoginActivity,
   ActiveUsersFilter,
+  JwtKeys,
 ];
diff --git a/services/authentication-service/src/models/jwt-keys.model.ts b/services/authentication-service/src/models/jwt-keys.model.ts
new file mode 100644
index 0000000000..a8c61f0d31
--- /dev/null
+++ b/services/authentication-service/src/models/jwt-keys.model.ts
@@ -0,0 +1,44 @@
+import {Entity, model, property} from '@loopback/repository';
+
+@model({
+  name: 'jwt_keys',
+})
+export class JwtKeys extends Entity {
+  @property({
+    type: 'string',
+    id: true,
+  })
+  id?: string;
+
+  @property({
+    type: 'string',
+    required: true,
+    name: 'key_id',
+  })
+  keyId: string;
+
+  @property({
+    type: 'string',
+    required: true,
+    name: 'public_key',
+  })
+  publicKey: string;
+
+  @property({
+    type: 'string',
+    required: true,
+    name: 'private_key',
+  })
+  privateKey: string;
+
+  @property({
+    type: 'date',
+    default: () => new Date(),
+    name: 'created_on',
+  })
+  createdOn?: Date;
+
+  constructor(data?: Partial<JwtKeys>) {
+    super(data);
+  }
+}
diff --git a/services/authentication-service/src/modules/auth/controllers/apple-login.controller.ts b/services/authentication-service/src/modules/auth/controllers/apple-login.controller.ts
index 6601e7f00c..019494786c 100644
--- a/services/authentication-service/src/modules/auth/controllers/apple-login.controller.ts
+++ b/services/authentication-service/src/modules/auth/controllers/apple-login.controller.ts
@@ -53,7 +53,7 @@ export class AppleLoginController {
     private readonly getAuthCode: AuthCodeGeneratorFn,
     @inject('services.IdpLoginService')
     private readonly idpLoginService: IdpLoginService,
-  ) { }
+  ) {}
 
   @authenticateClient(STRATEGY.CLIENT_PASSWORD)
   @authorize({permissions: ['*']})
@@ -128,7 +128,8 @@ export class AppleLoginController {
       const token = await this.getAuthCode(client, user);
       const role = user.role;
       response.redirect(
-        `${process.env.WEBAPP_URL ?? ''}${client.redirectUrl
+        `${process.env.WEBAPP_URL ?? ''}${
+          client.redirectUrl
         }?code=${token}&role=${role}`,
       );
     } catch (error) {
diff --git a/services/authentication-service/src/modules/auth/controllers/auth0-login-controller.ts b/services/authentication-service/src/modules/auth/controllers/auth0-login-controller.ts
index 58b0d015ca..a06314e5c8 100644
--- a/services/authentication-service/src/modules/auth/controllers/auth0-login-controller.ts
+++ b/services/authentication-service/src/modules/auth/controllers/auth0-login-controller.ts
@@ -34,8 +34,10 @@ import {authorize} from 'loopback4-authorization';
 
 import {AuthCodeBindings, AuthCodeGeneratorFn} from '../../../providers';
 import {AuthClientRepository} from '../../../repositories';
+import {IdpLoginService} from '../../../services';
 import {AuthUser, ClientAuthRequest, TokenResponse} from '../models';
 
+const auth0Scope = 'openid email profile';
 const queryGen = (from: 'body' | 'query') => {
   return (req: Request) => {
     return {
@@ -43,9 +45,6 @@ const queryGen = (from: 'body' | 'query') => {
     };
   };
 };
-
-const auth0Scope = 'openid email profile';
-
 export class Auth0LoginController {
   constructor(
     @repository(AuthClientRepository)
@@ -53,8 +52,16 @@ export class Auth0LoginController {
     @inject(LOGGER.LOGGER_INJECT) public logger: ILogger,
     @inject(AuthCodeBindings.AUTH_CODE_GENERATOR_PROVIDER)
     private readonly getAuthCode: AuthCodeGeneratorFn,
+    @inject('services.IdpLoginService')
+    private readonly idpLoginService: IdpLoginService,
   ) {}
 
+  /**
+   * @deprecated
+   *  This method should not be used, possible security issue
+   *  if secret is passed via query params, please use the post endpoint
+   */
+  @authenticateClient(STRATEGY.CLIENT_PASSWORD)
   @authorize({permissions: ['*']})
   @oas.deprecated()
   @get('/auth/auth0', {
@@ -69,34 +76,16 @@ export class Auth0LoginController {
       },
     },
   })
-  @authenticateClient(STRATEGY.CLIENT_PASSWORD)
-  @authenticate(
-    STRATEGY.AUTH0,
-    {
-      domain: process.env.AUTH0_DOMAIN,
-      clientID: process.env.AUTH0_CLIENT_ID,
-      clientSecret: process.env.AUTH0_CLIENT_SECRET,
-      callbackURL: process.env.AUTH0_CALLBACK_URL,
-      state: false,
-      profileFields: ['email', 'name'],
-      scope: auth0Scope,
-    },
-    queryGen('body'),
-  )
-
-  /**
-   * @deprecated
-   *  This method should not be used, possible security issue
-   *  if secret is passed via query params, please use the post endpoint
-   */
   async loginViaAuth0(
     @param.query.string('client_id')
     clientId?: string,
     @param.query.string('client_secret')
     clientSecret?: string,
   ): Promise<void> {
-    //do nothing
+    return this.idpLoginService.loginViaAuth0();
   }
+
+  @authenticateClient(STRATEGY.CLIENT_PASSWORD)
   @authorize({permissions: ['*']})
   @post('/auth/auth0', {
     responses: {
@@ -110,20 +99,6 @@ export class Auth0LoginController {
       },
     },
   })
-  @authenticateClient(STRATEGY.CLIENT_PASSWORD)
-  @authenticate(
-    STRATEGY.AUTH0,
-    {
-      domain: process.env.AUTH0_DOMAIN,
-      clientID: process.env.AUTH0_CLIENT_ID,
-      clientSecret: process.env.AUTH0_CLIENT_SECRET,
-      callbackURL: process.env.AUTH0_CALLBACK_URL,
-      state: false,
-      profileFields: ['email', 'name'],
-      scope: auth0Scope,
-    },
-    queryGen('body'),
-  )
   async postLoginViaAuth0(
     @requestBody({
       content: {
@@ -134,7 +109,7 @@ export class Auth0LoginController {
     })
     clientCreds?: ClientAuthRequest,
   ): Promise<void> {
-    //do nothing
+    return this.idpLoginService.loginViaAuth0();
   }
 
   @authenticate(
diff --git a/services/authentication-service/src/modules/auth/controllers/azure-login.controller.ts b/services/authentication-service/src/modules/auth/controllers/azure-login.controller.ts
index 8432586a99..5ce848569c 100644
--- a/services/authentication-service/src/modules/auth/controllers/azure-login.controller.ts
+++ b/services/authentication-service/src/modules/auth/controllers/azure-login.controller.ts
@@ -52,7 +52,7 @@ export class AzureLoginController {
     private readonly getAuthCode: AuthCodeGeneratorFn,
     @inject('services.IdpLoginService')
     private readonly idpLoginService: IdpLoginService,
-  ) { }
+  ) {}
 
   @authenticateClient(STRATEGY.CLIENT_PASSWORD)
   @authorize({permissions: ['*']})
@@ -215,7 +215,8 @@ export class AzureLoginController {
       const token = await this.getAuthCode(client, user);
       const role = user.role;
       response.redirect(
-        `${process.env.WEBAPP_URL ?? ''}${client.redirectUrl
+        `${process.env.WEBAPP_URL ?? ''}${
+          client.redirectUrl
         }?code=${token}&role=${role}`,
       );
     } catch (error) {
diff --git a/services/authentication-service/src/modules/auth/controllers/cognito-login.controller.ts b/services/authentication-service/src/modules/auth/controllers/cognito-login.controller.ts
index 0293d210af..be92eaa359 100644
--- a/services/authentication-service/src/modules/auth/controllers/cognito-login.controller.ts
+++ b/services/authentication-service/src/modules/auth/controllers/cognito-login.controller.ts
@@ -54,7 +54,7 @@ export class CognitoLoginController {
     private readonly getAuthCode: AuthCodeGeneratorFn,
     @inject('services.IdpLoginService')
     private readonly idpLoginService: IdpLoginService,
-  ) { }
+  ) {}
 
   @authenticateClient(STRATEGY.CLIENT_PASSWORD)
   @authorize({permissions: ['*']})
diff --git a/services/authentication-service/src/modules/auth/controllers/facebook-login.controller.ts b/services/authentication-service/src/modules/auth/controllers/facebook-login.controller.ts
index 305164a412..af619b63b0 100644
--- a/services/authentication-service/src/modules/auth/controllers/facebook-login.controller.ts
+++ b/services/authentication-service/src/modules/auth/controllers/facebook-login.controller.ts
@@ -53,7 +53,7 @@ export class FacebookLoginController {
     private readonly getAuthCode: AuthCodeGeneratorFn,
     @inject('services.IdpLoginService')
     private readonly idpLoginService: IdpLoginService,
-  ) { }
+  ) {}
 
   @authenticateClient(STRATEGY.CLIENT_PASSWORD)
   @authorize({permissions: ['*']})
diff --git a/services/authentication-service/src/modules/auth/controllers/google-login.controller.ts b/services/authentication-service/src/modules/auth/controllers/google-login.controller.ts
index cf61a609c0..195dd0feae 100644
--- a/services/authentication-service/src/modules/auth/controllers/google-login.controller.ts
+++ b/services/authentication-service/src/modules/auth/controllers/google-login.controller.ts
@@ -54,7 +54,7 @@ export class GoogleLoginController {
     private readonly getAuthCode: AuthCodeGeneratorFn,
     @inject('services.IdpLoginService')
     private readonly idpLoginService: IdpLoginService,
-  ) { }
+  ) {}
 
   @authenticateClient(STRATEGY.CLIENT_PASSWORD)
   @authorize({permissions: ['*']})
diff --git a/services/authentication-service/src/modules/auth/controllers/identity-server.controller.ts b/services/authentication-service/src/modules/auth/controllers/identity-server.controller.ts
index 6c0c3102e2..17020e28f9 100644
--- a/services/authentication-service/src/modules/auth/controllers/identity-server.controller.ts
+++ b/services/authentication-service/src/modules/auth/controllers/identity-server.controller.ts
@@ -1,5 +1,4 @@
 import {inject} from '@loopback/core';
-import {repository} from '@loopback/repository';
 import {
   get,
   getModelSchemaRef,
@@ -9,11 +8,9 @@ import {
   requestBody,
 } from '@loopback/rest';
 import {
-  AuthenticateErrorKeys,
   CONTENT_TYPE,
   ErrorCodes,
   OPERATION_SECURITY_SPEC,
-  RevokedTokenRepository,
   STATUS_CODE,
   SuccessResponse,
   X_TS_TYPE,
@@ -26,19 +23,10 @@ import {
   STRATEGY,
 } from 'loopback4-authentication';
 import {authorize} from 'loopback4-authorization';
-import {
-  AuthCodeBindings,
-  AuthServiceBindings,
-  CodeReaderFn,
-  IUserActivity,
-  LoginType,
-  RefreshTokenRepository,
-  RefreshTokenRequest,
-  UserRepository,
-  UserTenantRepository,
-} from '../../..';
+import {JwtKeys} from '../../..';
 import {IdpLoginService} from '../../../services';
 import {
+  AuthRefreshTokenRequest,
   AuthTokenRequest,
   AuthUser,
   IdpAuthMethod,
@@ -49,23 +37,11 @@ import {
 
 export class IdentityServerController {
   constructor(
-    @inject(AuthCodeBindings.CODEREADER_PROVIDER)
-    private readonly codeReader: CodeReaderFn,
     @inject('services.IdpLoginService')
     private readonly idpLoginService: IdpLoginService,
     @inject(AuthenticationBindings.CURRENT_USER)
     private readonly user: AuthUser | undefined,
-    @repository(RevokedTokenRepository)
-    private readonly revokedTokens: RevokedTokenRepository,
-    @repository(RefreshTokenRepository)
-    public refreshTokenRepo: RefreshTokenRepository,
-    @repository(UserRepository)
-    public userRepo: UserRepository,
-    @repository(UserTenantRepository)
-    public userTenantRepo: UserTenantRepository,
-    @inject(AuthServiceBindings.MarkUserActivity, {optional: true})
-    private readonly userActivity?: IUserActivity,
-  ) { }
+  ) {}
 
   @authenticateClient(STRATEGY.CLIENT_PASSWORD)
   @authorize({permissions: ['*']})
@@ -92,7 +68,7 @@ export class IdentityServerController {
     })
     idpAuthRequest: IdpAuthRequest,
   ): Promise<void> {
-    switch (idpAuthRequest?.auth_method) {
+    switch (idpAuthRequest?.auth_method.toLocaleUpperCase()) {
       case IdpAuthMethod.COGNITO:
         await this.idpLoginService.loginViaCognito();
         break;
@@ -117,6 +93,9 @@ export class IdentityServerController {
       case IdpAuthMethod.KEYCLOAK:
         await this.idpLoginService.loginViaKeycloak();
         break;
+      case IdpAuthMethod.AUTH0:
+        await this.idpLoginService.loginViaAuth0();
+        break;
     }
   }
 
@@ -134,8 +113,8 @@ export class IdentityServerController {
       ...ErrorCodes,
     },
   })
-  async getConfig(): Promise<void> {
-    this.idpLoginService.getOpenIdConfiguration();
+  async getConfig(): Promise<IdpConfiguration> {
+    return this.idpLoginService.getOpenIdConfiguration();
   }
 
   @authorize({permissions: ['*']})
@@ -211,54 +190,45 @@ export class IdentityServerController {
     @requestBody({
       content: {
         [CONTENT_TYPE.JSON]: {
-          schema: getModelSchemaRef(RefreshTokenRequest, {
+          schema: getModelSchemaRef(AuthRefreshTokenRequest, {
             partial: true,
           }),
         },
       },
     })
-    req: RefreshTokenRequest,
+    req: AuthRefreshTokenRequest,
   ): Promise<SuccessResponse> {
-    const token = auth?.replace(/bearer /i, '');
-    if (!token || !req.refreshToken) {
-      throw new HttpErrors.UnprocessableEntity(
-        AuthenticateErrorKeys.TokenMissing,
-      );
-    }
-
-    const refreshTokenModel = await this.refreshTokenRepo.get(req.refreshToken);
-    if (!refreshTokenModel) {
-      throw new HttpErrors.Unauthorized(AuthErrorKeys.TokenExpired);
-    }
-    if (refreshTokenModel.accessToken !== token) {
-      throw new HttpErrors.Unauthorized(AuthErrorKeys.TokenInvalid);
-    }
-    await this.revokedTokens.set(token, {token});
-    await this.refreshTokenRepo.delete(req.refreshToken);
-    if (refreshTokenModel.pubnubToken) {
-      await this.refreshTokenRepo.delete(refreshTokenModel.pubnubToken);
-    }
-
-    const user = await this.userRepo.findById(refreshTokenModel.userId);
-
-    const userTenant = await this.userTenantRepo.findOne({
-      where: {userId: user.id},
-    });
+    return this.idpLoginService.logoutUser(auth, req);
+  }
 
-    if (this.userActivity?.markUserActivity)
-      this.idpLoginService.markUserActivity(
-        user,
-        userTenant,
-        {
-          ...user,
-          clientId: refreshTokenModel.clientId,
-        },
-        LoginType.LOGOUT,
-      );
-    return new SuccessResponse({
-      success: true,
+  @authorize({permissions: ['*']})
+  @post('/connect/rotate-keys', {
+    description: 'Generate the set of public and private keys',
+    responses: {
+      [STATUS_CODE.OK]: {
+        description: 'JWKS Keys',
+      },
+      ...ErrorCodes,
+    },
+  })
+  async generateKeys(): Promise<void> {
+    return this.idpLoginService.rotateKeys();
+  }
 
-      key: refreshTokenModel.userId,
-    });
+  @authorize({permissions: ['*']})
+  @post('/connect/get-keys', {
+    description: 'Get the public keys',
+    responses: {
+      [STATUS_CODE.OK]: {
+        description: 'JWKS Keys',
+      },
+      ...ErrorCodes,
+    },
+  })
+  async getKeys(): Promise<JwtKeys[]> {
+    return [];
+    // return this.jwtKeysRepository.find({
+    //   fields: { publicKey: true, id: true, keyId: true },
+    // });
   }
 }
diff --git a/services/authentication-service/src/modules/auth/controllers/instagram-login.controller.ts b/services/authentication-service/src/modules/auth/controllers/instagram-login.controller.ts
index a879f3459f..06a82a5cac 100644
--- a/services/authentication-service/src/modules/auth/controllers/instagram-login.controller.ts
+++ b/services/authentication-service/src/modules/auth/controllers/instagram-login.controller.ts
@@ -53,7 +53,7 @@ export class InstagramLoginController {
     private readonly getAuthCode: AuthCodeGeneratorFn,
     @inject('services.IdpLoginService')
     private readonly idpLoginService: IdpLoginService,
-  ) { }
+  ) {}
 
   @authenticateClient(STRATEGY.CLIENT_PASSWORD)
   @authorize({permissions: ['*']})
diff --git a/services/authentication-service/src/modules/auth/controllers/keycloak-login.controller.ts b/services/authentication-service/src/modules/auth/controllers/keycloak-login.controller.ts
index f0a9755dd5..b7253470db 100644
--- a/services/authentication-service/src/modules/auth/controllers/keycloak-login.controller.ts
+++ b/services/authentication-service/src/modules/auth/controllers/keycloak-login.controller.ts
@@ -54,7 +54,7 @@ export class KeycloakLoginController {
     private readonly getAuthCode: AuthCodeGeneratorFn,
     @inject('services.IdpLoginService')
     private readonly idpLoginService: IdpLoginService,
-  ) { }
+  ) {}
 
   @authenticateClient(STRATEGY.CLIENT_PASSWORD)
   @authorize({permissions: ['*']})
diff --git a/services/authentication-service/src/modules/auth/controllers/logout.controller.ts b/services/authentication-service/src/modules/auth/controllers/logout.controller.ts
index 343932547a..b82373b3ca 100644
--- a/services/authentication-service/src/modules/auth/controllers/logout.controller.ts
+++ b/services/authentication-service/src/modules/auth/controllers/logout.controller.ts
@@ -26,28 +26,13 @@ import {
   X_TS_TYPE,
 } from '@sourceloop/core';
 import {encode} from 'base-64';
-import crypto from 'crypto';
 import {HttpsProxyAgent} from 'https-proxy-agent';
-import {
-  authenticate,
-  AuthenticationBindings,
-  AuthErrorKeys,
-  STRATEGY,
-} from 'loopback4-authentication';
+import {authenticate, AuthErrorKeys, STRATEGY} from 'loopback4-authentication';
 import {authorize} from 'loopback4-authorization';
 import fetch from 'node-fetch';
 import {URLSearchParams} from 'url';
-import {LoginType} from '../../../enums';
 import {AuthServiceBindings} from '../../../keys';
-import {
-  AuthClient,
-  LoginActivity,
-  RefreshToken,
-  RefreshTokenRequest,
-  User,
-  UserTenant,
-} from '../../../models';
-import {JwtPayloadFn} from '../../../providers';
+import {RefreshTokenRequest} from '../../../models';
 import {
   LoginActivityRepository,
   RefreshTokenRepository,
@@ -55,7 +40,8 @@ import {
   UserRepository,
   UserTenantRepository,
 } from '../../../repositories';
-import {ActorId, IUserActivity} from '../../../types';
+import {IdpLoginService} from '../../../services';
+import {ActorId} from '../../../types';
 
 const proxyUrl = process.env.HTTPS_PROXY ?? process.env.HTTP_PROXY;
 
@@ -65,8 +51,6 @@ const getProxyAgent = () => {
   }
   return undefined;
 };
-
-const size = 16;
 const SUCCESS_RESPONSE = 'Success Response';
 const AUTHENTICATE_USER =
   'This is the access token which is required to authenticate user.';
@@ -87,12 +71,8 @@ export class LogoutController {
     public userRepo: UserRepository,
     @repository(UserTenantRepository)
     public userTenantRepo: UserTenantRepository,
-    @inject(AuthServiceBindings.JWTPayloadProvider)
-    private readonly getJwtPayload: JwtPayloadFn,
-    @inject(AuthenticationBindings.CURRENT_CLIENT)
-    private readonly client: AuthClient | undefined,
-    @inject(AuthServiceBindings.MarkUserActivity, {optional: true})
-    private readonly userActivity?: IUserActivity,
+    @inject('services.IdpLoginService')
+    private readonly idpLoginService: IdpLoginService,
   ) {}
 
   @authenticate(STRATEGY.BEARER, {
@@ -130,41 +110,7 @@ export class LogoutController {
     })
     req: RefreshTokenRequest,
   ): Promise<SuccessResponse> {
-    const token = auth?.replace(/bearer /i, '');
-    if (!token || !req.refreshToken) {
-      throw new HttpErrors.UnprocessableEntity(
-        AuthenticateErrorKeys.TokenMissing,
-      );
-    }
-
-    const refreshTokenModel = await this.refreshTokenRepo.get(req.refreshToken);
-    if (!refreshTokenModel) {
-      throw new HttpErrors.Unauthorized(AuthErrorKeys.TokenExpired);
-    }
-    if (refreshTokenModel.accessToken !== token) {
-      throw new HttpErrors.Unauthorized(AuthErrorKeys.TokenInvalid);
-    }
-    await this.revokedTokens.set(token, {token});
-    await this.refreshTokenRepo.delete(req.refreshToken);
-    if (refreshTokenModel.pubnubToken) {
-      await this.refreshTokenRepo.delete(refreshTokenModel.pubnubToken);
-    }
-
-    //
-
-    const user = await this.userRepo.findById(refreshTokenModel.userId);
-
-    const userTenant = await this.userTenantRepo.findOne({
-      where: {userId: user.id},
-    });
-
-    if (this.userActivity?.markUserActivity)
-      this.markUserActivity(refreshTokenModel, user, userTenant);
-    return new SuccessResponse({
-      success: true,
-
-      key: refreshTokenModel.userId,
-    });
+    return this.idpLoginService.logoutUser(auth, req);
   }
 
   @authenticate(STRATEGY.BEARER, {
@@ -441,80 +387,4 @@ export class LogoutController {
       key: refreshTokenModel.userId,
     });
   }
-
-  private markUserActivity(
-    refreshTokenModel: RefreshToken,
-    user: User,
-    userTenant: UserTenant | null,
-  ) {
-    const encryptionKey = process.env.ENCRYPTION_KEY;
-
-    if (encryptionKey) {
-      const iv = crypto.randomBytes(size);
-
-      /* encryption of IP Address */
-      const cipherIp = crypto.createCipheriv('aes-256-gcm', encryptionKey, iv);
-      const ip =
-        this.ctx.request.headers['x-forwarded-for']?.toString() ??
-        this.ctx.request.socket.remoteAddress?.toString() ??
-        '';
-      const encyptIp = Buffer.concat([
-        cipherIp.update(ip, 'utf8'),
-        cipherIp.final(),
-      ]);
-      const authTagIp = cipherIp.getAuthTag();
-      const ipAddress = JSON.stringify({
-        iv: iv.toString('hex'),
-        encryptedData: encyptIp.toString('hex'),
-        authTag: authTagIp.toString('hex'),
-      });
-
-      /* encryption of Paylolad Address */
-
-      const cipherPayload = crypto.createCipheriv(
-        'aes-256-gcm',
-        encryptionKey,
-        iv,
-      );
-      const activityPayload = JSON.stringify({
-        ...user,
-        clientId: refreshTokenModel.clientId,
-      });
-      const encyptPayload = Buffer.concat([
-        cipherPayload.update(activityPayload, 'utf8'),
-        cipherPayload.final(),
-      ]);
-      const authTagPayload = cipherIp.getAuthTag();
-      const tokenPayload = JSON.stringify({
-        iv: iv.toString('hex'),
-        encryptedData: encyptPayload.toString('hex'),
-        authTag: authTagPayload.toString('hex'),
-      });
-      let actor: string, tenantId;
-      if (userTenant) {
-        actor = userTenant[this.actorKey]?.toString() ?? '0';
-        tenantId = userTenant.tenantId;
-      } else {
-        actor = user['id']?.toString() ?? '0';
-        tenantId = user.defaultTenantId ?? '0';
-      }
-
-      const loginActivity = new LoginActivity({
-        actor,
-        tenantId,
-        loginTime: new Date(),
-        tokenPayload,
-        deviceInfo: this.ctx.request.headers['user-agent']?.toString(),
-        loginType: LoginType.LOGOUT,
-        ipAddress,
-      });
-      this.loginActivityRepo.create(loginActivity).catch(() => {
-        this.logger.error(
-          `Failed to add the login activity => ${JSON.stringify(
-            loginActivity,
-          )}`,
-        );
-      });
-    }
-  }
 }
diff --git a/services/authentication-service/src/modules/auth/controllers/saml-login.controller.ts b/services/authentication-service/src/modules/auth/controllers/saml-login.controller.ts
index dfc4a33cbf..7495a1bcdb 100644
--- a/services/authentication-service/src/modules/auth/controllers/saml-login.controller.ts
+++ b/services/authentication-service/src/modules/auth/controllers/saml-login.controller.ts
@@ -40,7 +40,7 @@ export class SamlLoginController {
     private readonly getAuthCode: AuthCodeGeneratorFn,
     @inject('services.IdpLoginService')
     private readonly idpLoginService: IdpLoginService,
-  ) { }
+  ) {}
 
   @authenticateClient(STRATEGY.CLIENT_PASSWORD)
   @authorize({permissions: ['*']})
diff --git a/services/authentication-service/src/modules/auth/models/idp-auth.method.ts b/services/authentication-service/src/modules/auth/models/idp-auth.method.ts
index f7b1cc30ba..d6a3dbe5f5 100644
--- a/services/authentication-service/src/modules/auth/models/idp-auth.method.ts
+++ b/services/authentication-service/src/modules/auth/models/idp-auth.method.ts
@@ -7,4 +7,5 @@ export enum IdpAuthMethod {
   AZURE = 'AZURE',
   INSTAGRAM = 'INSTAGRAM',
   KEYCLOAK = 'KEYCLOAK',
+  AUTH0 = 'AUTH0',
 }
diff --git a/services/authentication-service/src/providers/index.ts b/services/authentication-service/src/providers/index.ts
index 01dca82f0e..eab3388eda 100644
--- a/services/authentication-service/src/providers/index.ts
+++ b/services/authentication-service/src/providers/index.ts
@@ -30,6 +30,8 @@ export * from './google-pre-verify.provider';
 export * from './instagram-oauth2-signup.provider';
 export * from './instagram-post-verify.provider';
 export * from './instagram-pre-verify.provider';
+export * from './jwks-jwt-asymmertric-signer.provider';
+export * from './jwks-jwt-asymmetric-verifier.provider';
 export * from './jwt-asymmetric-signer.provider';
 export * from './jwt-asymmetric-verifier.provider';
 export * from './jwt-payload.provider';
diff --git a/services/authentication-service/src/providers/jwks-jwt-asymmertric-signer.provider.ts b/services/authentication-service/src/providers/jwks-jwt-asymmertric-signer.provider.ts
new file mode 100644
index 0000000000..a698c1b0c8
--- /dev/null
+++ b/services/authentication-service/src/providers/jwks-jwt-asymmertric-signer.provider.ts
@@ -0,0 +1,49 @@
+// Copyright (c) 2023 Sourcefuse Technologies
+//
+// This software is released under the MIT License.
+// https://opensource.org/licenses/MIT
+import {Provider} from '@loopback/core';
+import {repository} from '@loopback/repository';
+import {HttpErrors} from '@loopback/rest';
+import * as jwt from 'jsonwebtoken';
+import {JwtKeysRepository} from '../repositories';
+import {JWTSignerFn} from './types';
+
+export class JwksJWTAsymmetricSignerProvider<T extends string | object | Buffer>
+  implements Provider<JWTSignerFn<T>>
+{
+  constructor(
+    @repository(JwtKeysRepository)
+    public jwtKeysRepo: JwtKeysRepository,
+  ) {}
+
+  value(): JWTSignerFn<T> {
+    return async (data: T, options: jwt.SignOptions) => {
+      // Load private keys
+      const privateKeys = await this.jwtKeysRepo.find({
+        order: ['createdOn DESC'],
+      });
+
+      if (!privateKeys.length) {
+        throw new HttpErrors.InternalServerError('No keys found');
+      }
+
+      // Use the latest private key (assuming it's the last one added)
+      const privateKey = privateKeys[0];
+
+      const accessToken = jwt.sign(
+        data,
+        {
+          key: privateKey.privateKey,
+          passphrase: process.env.JWT_PRIVATE_KEY_PASSPHRASE,
+        },
+        {
+          ...options,
+          algorithm: 'RS256',
+          keyid: privateKey.keyId,
+        },
+      );
+      return accessToken;
+    };
+  }
+}
diff --git a/services/authentication-service/src/providers/jwks-jwt-asymmetric-verifier.provider.ts b/services/authentication-service/src/providers/jwks-jwt-asymmetric-verifier.provider.ts
new file mode 100644
index 0000000000..fec55ad583
--- /dev/null
+++ b/services/authentication-service/src/providers/jwks-jwt-asymmetric-verifier.provider.ts
@@ -0,0 +1,46 @@
+// Copyright (c) 2023 Sourcefuse Technologies
+//
+// This software is released under the MIT License.
+// https://opensource.org/licenses/MIT
+import {Provider} from '@loopback/core';
+import {repository} from '@loopback/repository';
+import * as jwt from 'jsonwebtoken';
+import * as jose from 'node-jose';
+import {JwtKeysRepository} from '../repositories';
+import {JWTVerifierFn} from './types';
+
+export class JwksJWTAsymmetricVerifierProvider<T>
+  implements Provider<JWTVerifierFn<T>>
+{
+  constructor(
+    @repository(JwtKeysRepository)
+    public jwtKeysRepo: JwtKeysRepository,
+  ) {}
+  value(): JWTVerifierFn<T> {
+    return async (token: string, options: jwt.VerifyOptions) => {
+      // Get the key that matches the token's kid
+      const decoded = jwt.decode(token, {complete: true});
+      const kid = decoded?.header.kid;
+
+      // Load the JWKS
+      const key = await this.jwtKeysRepo.findOne({
+        where: {
+          keyId: kid,
+        },
+      });
+
+      if (!key) {
+        throw new Error('Key not found for verification');
+      }
+
+      // Convert the JWK to PEM format for verification
+      const jwkKey = await jose.JWK.asKey(key.publicKey, 'pem');
+      const pem = jwkKey.toPEM(false);
+
+      // Verify the token with the retrieved PEM-formatted public key
+      const payload = jwt.verify(token, pem, options) as T;
+
+      return payload;
+    };
+  }
+}
diff --git a/services/authentication-service/src/repositories/index.ts b/services/authentication-service/src/repositories/index.ts
index 1260da1ab7..a0f641de04 100644
--- a/services/authentication-service/src/repositories/index.ts
+++ b/services/authentication-service/src/repositories/index.ts
@@ -4,6 +4,7 @@
 // https://opensource.org/licenses/MIT
 import {AuthClientRepository} from './auth-client.repository';
 import {AuthSecureClientRepository} from './auth-secure-client.repository';
+import {JwtKeysRepository} from './jwt-keys.repository';
 import {LoginActivityRepository} from './login-activity.repository';
 import {OtpCacheRepository} from './otp-cache.repository';
 import {OtpRepository} from './otp.repository';
@@ -20,6 +21,7 @@ import {UserRepository} from './user.repository';
 
 export * from './auth-client.repository';
 export * from './auth-secure-client.repository';
+export * from './jwt-keys.repository';
 export * from './login-activity.repository';
 export * from './otp-cache.repository';
 export * from './otp.repository';
@@ -50,4 +52,5 @@ export const repositories = [
   TenantRepository,
   UserLevelResourceRepository,
   LoginActivityRepository,
+  JwtKeysRepository,
 ];
diff --git a/services/authentication-service/src/repositories/jwt-keys.repository.ts b/services/authentication-service/src/repositories/jwt-keys.repository.ts
new file mode 100644
index 0000000000..d811e76a32
--- /dev/null
+++ b/services/authentication-service/src/repositories/jwt-keys.repository.ts
@@ -0,0 +1,16 @@
+import {inject} from '@loopback/core';
+import {DefaultCrudRepository, juggler} from '@loopback/repository';
+import {JwtKeys} from '../models';
+import {AuthDbSourceName} from '../types';
+
+export class JwtKeysRepository extends DefaultCrudRepository<
+  JwtKeys,
+  typeof JwtKeys.prototype.id
+> {
+  constructor(
+    @inject(`datasources.${AuthDbSourceName}`)
+    dataSource: juggler.DataSource,
+  ) {
+    super(JwtKeys, dataSource);
+  }
+}
diff --git a/services/authentication-service/src/repositories/sequelize/index.ts b/services/authentication-service/src/repositories/sequelize/index.ts
index 4d7d36a168..9441b49a32 100644
--- a/services/authentication-service/src/repositories/sequelize/index.ts
+++ b/services/authentication-service/src/repositories/sequelize/index.ts
@@ -8,6 +8,7 @@ import {RefreshTokenRepository} from '../refresh-token.repository';
 import {RevokedTokenRepository} from '../revoked-token.repository';
 import {AuthClientRepository} from './auth-client.repository';
 import {AuthSecureClientRepository} from './auth-secure-client.repository';
+import {JwtKeysRepository} from './jwt-keys.repository';
 import {LoginActivityRepository} from './login-activity.repository';
 import {RoleRepository} from './role.repository';
 import {TenantConfigRepository} from './tenant-config.repository';
@@ -18,6 +19,7 @@ import {UserLevelResourceRepository} from './user-level-resource.repository';
 import {UserTenantRepository} from './user-tenant.repository';
 import {UserRepository} from './user.repository';
 
+export * from '../jwt-keys.repository';
 export * from '../otp-cache.repository';
 export * from '../otp.repository';
 export * from '../refresh-token.repository';
@@ -50,4 +52,5 @@ export const repositories = [
   TenantRepository,
   UserLevelResourceRepository,
   LoginActivityRepository,
+  JwtKeysRepository,
 ];
diff --git a/services/authentication-service/src/repositories/sequelize/jwt-keys.repository.ts b/services/authentication-service/src/repositories/sequelize/jwt-keys.repository.ts
new file mode 100644
index 0000000000..a24a4ba39c
--- /dev/null
+++ b/services/authentication-service/src/repositories/sequelize/jwt-keys.repository.ts
@@ -0,0 +1,19 @@
+import {inject} from '@loopback/core';
+import {
+  SequelizeCrudRepository,
+  SequelizeDataSource,
+} from '@loopback/sequelize';
+import {JwtKeys} from '../../models';
+import {AuthDbSourceName} from '../../types';
+
+export class JwtKeysRepository extends SequelizeCrudRepository<
+  JwtKeys,
+  typeof JwtKeys.prototype.id
+> {
+  constructor(
+    @inject(`datasources.${AuthDbSourceName}`)
+    dataSource: SequelizeDataSource,
+  ) {
+    super(JwtKeys, dataSource);
+  }
+}
diff --git a/services/authentication-service/src/services/idp-login.service.ts b/services/authentication-service/src/services/idp-login.service.ts
index ea40a5af5b..505e677dd9 100644
--- a/services/authentication-service/src/services/idp-login.service.ts
+++ b/services/authentication-service/src/services/idp-login.service.ts
@@ -1,8 +1,13 @@
 import {BindingScope, inject, injectable} from '@loopback/core';
 import {AnyObject, repository} from '@loopback/repository';
 import {HttpErrors, RequestContext} from '@loopback/rest';
-import {AuthenticateErrorKeys, ILogger, LOGGER} from '@sourceloop/core';
-import crypto from 'crypto';
+import {
+  AuthenticateErrorKeys,
+  ILogger,
+  LOGGER,
+  SuccessResponse,
+} from '@sourceloop/core';
+import crypto, {generateKeyPairSync} from 'crypto';
 import {
   authenticate,
   AuthErrorKeys,
@@ -10,9 +15,16 @@ import {
   STRATEGY,
 } from 'loopback4-authentication';
 import moment from 'moment';
+import * as jose from 'node-jose';
 import {LoginType} from '../enums';
 import {AuthServiceBindings} from '../keys';
-import {AuthClient, LoginActivity, User, UserTenant} from '../models';
+import {
+  AuthClient,
+  LoginActivity,
+  RefreshTokenRequest,
+  User,
+  UserTenant,
+} from '../models';
 import {
   AuthTokenRequest,
   AuthUser,
@@ -20,14 +32,15 @@ import {
   TokenResponse,
 } from '../modules/auth';
 import {
-  AuthCodeBindings,
   CodeReaderFn,
   JwtPayloadFn,
   JWTSignerFn,
   JWTVerifierFn,
 } from '../providers';
+import {AuthCodeBindings} from '../providers/keys';
 import {
   AuthClientRepository,
+  JwtKeysRepository,
   LoginActivityRepository,
   RefreshTokenRepository,
   RevokedTokenRepository,
@@ -39,7 +52,7 @@ import {ActorId, ExternalTokens, IUserActivity} from '../types';
 const clockSkew = 300;
 const nonceTime = 3600;
 const nonceCount = 10;
-
+const auth0Scope = 'openid email profile';
 @injectable({scope: BindingScope.TRANSIENT})
 export class IdpLoginService {
   constructor(
@@ -51,6 +64,8 @@ export class IdpLoginService {
     public userTenantRepo: UserTenantRepository,
     @repository(RefreshTokenRepository)
     public refreshTokenRepo: RefreshTokenRepository,
+    @repository(JwtKeysRepository)
+    public jwtKeysRepo: JwtKeysRepository,
     @repository(RevokedTokenRepository)
     public revokedTokensRepo: RevokedTokenRepository,
     @inject(LOGGER.LOGGER_INJECT) public logger: ILogger,
@@ -69,7 +84,7 @@ export class IdpLoginService {
     private readonly getJwtPayload: JwtPayloadFn,
     @inject(AuthServiceBindings.MarkUserActivity, {optional: true})
     private readonly userActivity?: IUserActivity,
-  ) { }
+  ) {}
 
   @authenticate(STRATEGY.COGNITO_OAUTH2, {
     callbackURL: process.env.COGNITO_AUTH_CALLBACK_URL,
@@ -199,21 +214,41 @@ export class IdpLoginService {
     // do nothing
   }
 
+  @authenticate(STRATEGY.AUTH0, {
+    domain: process.env.AUTH0_DOMAIN,
+    clientID: process.env.AUTH0_CLIENT_ID,
+    clientSecret: process.env.AUTH0_CLIENT_SECRET,
+    callbackURL: process.env.AUTH0_CALLBACK_URL,
+    state: false,
+    profileFields: ['email', 'name'],
+    scope: auth0Scope,
+  })
+  async loginViaAuth0(): Promise<void> {
+    // do nothing
+  }
+
   /**
    * The function `getOpenIdConfiguration` returns an IdpConfiguration object with specific properties
    * set based on environment variables.
    * @returns An IdpConfiguration object with the specified properties and values is being returned.
    */
-  getOpenIdConfiguration() {
+  async getOpenIdConfiguration() {
+    await this.generateJWKS();
+
     const config = new IdpConfiguration();
-    config.issuer = '';
+    config.issuer = `${process.env.API_BASE_URL}`;
     config.authorization_endpoint = `${process.env.API_BASE_URL}/connect/auth`;
     config.token_endpoint = `${process.env.API_BASE_URL}/connect/token`;
-    config.jwks_uri = '';
+    config.jwks_uri = `${process.env.API_BASE_URL}/connect/get-keys`;
     config.end_session_endpoint = `${process.env.API_BASE_URL}/connect/endsession`;
-    config.response_types_supported = ['code'];
+    config.response_types_supported = ['code', 'id_token', 'token'];
     config.scopes_supported = ['openid', 'email', 'phone', 'profile'];
-    config.id_token_signing_alg_values_supported = ['RS256'];
+    config.id_token_signing_alg_values_supported = [
+      'RS256',
+      'HS256',
+      'RS384',
+      'RS512',
+    ];
     config.token_endpoint_auth_methods_supported = [
       'client_secret_basic',
       'client_secret_post',
@@ -484,4 +519,150 @@ export class IdpLoginService {
       });
     }
   }
+
+  /**
+   * The `logoutUser` function in TypeScript handles the logout process for a user
+   * by revoking tokens and deleting refresh tokens.
+   * @param {string} auth - The `auth` parameter in the `logoutUser` function is a
+   * string that represents the authentication token. It is used to identify and
+   * authenticate the user who is attempting to log out. The function extracts the
+   * token from the `auth` parameter and performs various checks and operations
+   * related to user logout based on
+   * @param {RefreshTokenRequest} req - The `req` parameter in the `logoutUser`
+   * function is of type `RefreshTokenRequest`. It likely contains information
+   * related to the refresh token that is used to identify and authenticate the
+   * user during the logout process. This parameter may include properties such as
+   * `refreshToken`, which is essential for revoking
+   * @returns The `logoutUser` function returns a `Promise` that resolves to a
+   * `SuccessResponse` object with a `success` property set to `true` and a `key`
+   * property set to `refreshTokenModel.userId`.
+   */
+  async logoutUser(
+    auth: string,
+    req: RefreshTokenRequest,
+  ): Promise<SuccessResponse> {
+    const token = auth?.replace(/bearer /i, '');
+    if (!token || !req.refreshToken) {
+      throw new HttpErrors.UnprocessableEntity(
+        AuthenticateErrorKeys.TokenMissing,
+      );
+    }
+
+    const refreshTokenModel = await this.refreshTokenRepo.get(req.refreshToken);
+    if (!refreshTokenModel) {
+      throw new HttpErrors.Unauthorized(AuthErrorKeys.TokenExpired);
+    }
+    if (refreshTokenModel.accessToken !== token) {
+      throw new HttpErrors.Unauthorized(AuthErrorKeys.TokenInvalid);
+    }
+    await this.revokedTokensRepo.set(token, {token});
+    await this.refreshTokenRepo.delete(req.refreshToken);
+    if (refreshTokenModel.pubnubToken) {
+      await this.refreshTokenRepo.delete(refreshTokenModel.pubnubToken);
+    }
+
+    const user = await this.userRepo.findById(refreshTokenModel.userId);
+
+    const userTenant = await this.userTenantRepo.findOne({
+      where: {userId: user.id},
+    });
+
+    if (this.userActivity?.markUserActivity)
+      this.markUserActivity(
+        user,
+        userTenant,
+        {
+          ...user,
+          clientId: refreshTokenModel.clientId,
+        },
+        LoginType.LOGOUT,
+      );
+    return new SuccessResponse({
+      success: true,
+
+      key: refreshTokenModel.userId,
+    });
+  }
+
+  /**
+   * The function generates a JSON Web Key Set (JWKS) containing a RSA public key and saves it to a
+   * file.
+   */
+  async generateJWKS(): Promise<void> {
+    // Generate the RSA key pair
+    const {publicKey, privateKey} = generateKeyPairSync('rsa', {
+      modulusLength: 2048,
+      publicKeyEncoding: {
+        type: 'spki',
+        format: 'pem',
+      },
+      privateKeyEncoding: {
+        type: 'pkcs8',
+        format: 'pem',
+        cipher: 'aes-256-cbc',
+        passphrase: process.env.JWT_PRIVATE_KEY_PASSPHRASE,
+      },
+    });
+
+    // Create the JWKS object
+    const keyStore = jose.JWK.createKeyStore();
+    const key = await keyStore.add(publicKey, 'pem');
+
+    // Save public and private keys to the database using JwtKeysRepository
+    await this.jwtKeysRepo.create({
+      keyId: key.kid, // Unique identifier for the key
+      publicKey: publicKey,
+      privateKey: privateKey,
+    });
+
+    console.log('JWKS has been generated and saved to the database');
+  }
+
+  /**
+   * The function rotates the RSA keys used for signing JWT tokens. It generates a new key pair,
+   * adds the public key to the JWKS, and saves the private key to a file.
+   */
+  async rotateKeys(): Promise<void> {
+    // Generate a new RSA key pair
+    const {publicKey, privateKey} = generateKeyPairSync('rsa', {
+      modulusLength: 2048,
+      publicKeyEncoding: {
+        type: 'spki',
+        format: 'pem',
+      },
+      privateKeyEncoding: {
+        type: 'pkcs8',
+        format: 'pem',
+        cipher: 'aes-256-cbc',
+        passphrase: process.env.JWT_PRIVATE_KEY_PASSPHRASE,
+      },
+    });
+
+    // Create a new KeyStore and add the public key
+    const keyStore = jose.JWK.createKeyStore();
+    const newKey = await keyStore.add(publicKey, 'pem');
+    const newKid = `key-${Date.now()}`;
+    newKey.kid = newKid;
+
+    // Fetch existing keys from the database
+    const existingKeys = await this.jwtKeysRepo.find({
+      order: ['createdOn ASC'],
+    });
+
+    // Rotate keys: remove the oldest key if max limit is exceeded
+    const maxKeys = +(process.env.MAX_JWT_KEYS || 2);
+    if (existingKeys.length >= maxKeys) {
+      const oldestKey = existingKeys[0];
+      await this.jwtKeysRepo.deleteById(oldestKey.id);
+    }
+
+    // Save the new public and private keys to the repository
+    await this.jwtKeysRepo.create({
+      keyId: newKid,
+      publicKey: publicKey,
+      privateKey: privateKey,
+    });
+
+    console.log('Keys have been rotated and saved to the database.');
+  }
 }
diff --git a/services/authentication-service/src/types.ts b/services/authentication-service/src/types.ts
index 2236374577..bd440315de 100644
--- a/services/authentication-service/src/types.ts
+++ b/services/authentication-service/src/types.ts
@@ -14,6 +14,7 @@ import {AuthRefreshTokenRequest} from './modules/auth';
 // sonarignore:start
 export interface IAuthServiceConfig extends IServiceConfig {
   useSymmetricEncryption?: boolean;
+  useIdentityServer?: boolean;
 }
 // sonarignore:end