diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
index 5b1b7cb6a60..2e0dbdbaddf 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@@ -514,12 +514,15 @@ func ClusterRoles() []rbacv1.ClusterRole {
 	}...)
 
 	// Add the cluster role for reading the ServiceAccountIssuerDiscovery endpoints
+	// Also allow slash-ended URLs to allow clients generated from published openapi docs prior to fixing the trailing slash to work properly
 	roles = append(roles, rbacv1.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{Name: "system:service-account-issuer-discovery"},
 		Rules: []rbacv1.PolicyRule{
 			rbacv1helpers.NewRule("get").URLs(
 				"/.well-known/openid-configuration",
+				"/.well-known/openid-configuration/",
 				"/openid/v1/jwks",
+				"/openid/v1/jwks/",
 			).RuleOrDie(),
 		},
 	})
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
index d5509e42da3..205e3b91e9c 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
@@ -1265,7 +1265,9 @@ items:
   rules:
   - nonResourceURLs:
     - /.well-known/openid-configuration
+    - /.well-known/openid-configuration/
     - /openid/v1/jwks
+    - /openid/v1/jwks/
     verbs:
     - get
 - apiVersion: rbac.authorization.k8s.io/v1