If Jenkins is not accessible from the Internet then a cloud service would not be able to fetch public keys from the issuer. There should be a way to configure an alternate issuer URL, corresponding to some server actually controlled by the administrator, which could replicate the JWKS document from Jenkins via some push or pull mechanism TBD (or just manually copied, if the keys are rarely rotated).
If Jenkins is not accessible from the Internet then a cloud service would not be able to fetch public keys from the issuer. There should be a way to configure an alternate
issuer URL, corresponding to some server actually controlled by the administrator, which could replicate the JWKS document from Jenkins via some push or pull mechanism TBD (or just manually copied, if the keys are rarely rotated).