diff --git a/parcellab/common/Chart.yaml b/parcellab/common/Chart.yaml
index 704b01d..e093e50 100644
--- a/parcellab/common/Chart.yaml
+++ b/parcellab/common/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: common
 description: A Helm chart library for parcelLab charts
 type: library
-version: 1.3.1
+version: 1.3.2
 maintainers:
   - name: parcelLab
     email: engineering@parcellab.com
diff --git a/parcellab/common/templates/_securitypolicies.tpl b/parcellab/common/templates/_securitypolicies.tpl
index 3e0666f..a5893ac 100644
--- a/parcellab/common/templates/_securitypolicies.tpl
+++ b/parcellab/common/templates/_securitypolicies.tpl
@@ -39,6 +39,7 @@
 {{- $claimToHeaders := coalesce $policy.claimToHeaders $globalClaimHeaders -}}
 {{- $jwtProviderName := coalesce $policy.jwtProviderName $globalJwtProviderName "keycloak" -}}
 {{- $jwksURI := coalesce $policy.jwksURI $globalJwksURI (printf "%s/protocol/openid-connect/certs" $issuer) -}}
+{{- $backendRefs := coalesce $policy.backendRefs $security.backendRefs -}}
 {{- $targetRef := $policy.targetRef -}}
 {{- $targetRefs := $policy.targetRefs -}}
 {{- $rawSelectors := list -}}
@@ -84,6 +85,10 @@ spec:
   oidc:
     provider:
       issuer: {{ $issuer | quote }}
+      {{- with $backendRefs }}
+      backendRefs:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
     clientID: {{ $clientID | quote }}
     clientSecret:
       name: {{ $clientSecretName | quote }}
@@ -104,6 +109,10 @@ spec:
         remoteJWKS:
           cacheDuration: 300s
           uri: {{ $jwksURI | quote }}
+          {{- with $backendRefs }}
+          backendRefs:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
         {{- with $claimToHeaders }}
         claimToHeaders:
           {{ toYaml . | nindent 8 }}
diff --git a/parcellab/cronjob/Chart.yaml b/parcellab/cronjob/Chart.yaml
index 481808c..5b55c1d 100644
--- a/parcellab/cronjob/Chart.yaml
+++ b/parcellab/cronjob/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: cronjob
 description: Single cron job
-version: 0.4.3
+version: 0.5.0
 dependencies:
   - name: common
     version: "*"
diff --git a/parcellab/microservice/Chart.yaml b/parcellab/microservice/Chart.yaml
index b32100f..acb0b57 100644
--- a/parcellab/microservice/Chart.yaml
+++ b/parcellab/microservice/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: microservice
 description: Simple microservice
-version: 0.5.1
+version: 0.5.2
 dependencies:
   - name: common
     version: "*"
diff --git a/parcellab/microservice/values.yaml b/parcellab/microservice/values.yaml
index 65e740c..0b4dcc3 100644
--- a/parcellab/microservice/values.yaml
+++ b/parcellab/microservice/values.yaml
@@ -116,6 +116,12 @@ envoy:
     # claimToHeaders:
     #   - header: "x-user-email"
     #     claim: "email"
+    # backendRefs: # optional: used by both oidc.provider and jwt.remoteJWKS to route to the IdP service directly
+    #   - group: ""
+    #     kind: Service
+    #     name: keycloak
+    #     namespace: keycloak
+    #     port: 80
     # policies:
     #   - name: staff-only
     #     targetRef:
@@ -132,6 +138,12 @@ envoy:
     #               - name: groups
     #                 valueType: StringArray
     #                 values: ["staff"]
+    #     backendRefs: # optional: overrides the global backendRefs above for this policy only
+    #       - group: ""
+    #         kind: Service
+    #         name: keycloak
+    #         namespace: keycloak
+    #         port: 80
 
 ##
 ## Cronjob
diff --git a/parcellab/monolith/Chart.yaml b/parcellab/monolith/Chart.yaml
index 5d5baf8..9bb24af 100644
--- a/parcellab/monolith/Chart.yaml
+++ b/parcellab/monolith/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: monolith
 description: Application that may define multiple services and cronjobs
-version: 0.5.1
+version: 0.5.2
 dependencies:
   - name: common
     version: "*"
diff --git a/parcellab/monolith/values.yaml b/parcellab/monolith/values.yaml
index 7929514..a291bfd 100644
--- a/parcellab/monolith/values.yaml
+++ b/parcellab/monolith/values.yaml
@@ -145,12 +145,24 @@ envoy:
     # claimToHeaders:
     #   - header: "x-user-email"
     #     claim: "email"
+    # backendRefs:              # optional: backend service for oidc.provider and jwt.remoteJWKS; applies globally to all policies unless overridden per-policy
+    #   - group: ""
+    #     kind: Service
+    #     name: keycloak
+    #     namespace: keycloak
+    #     port: 80
     # policies:
     #   - name: staff-only
     #     targetRef:
     #       kind: HTTPRoute
     #       name: my-default-route
     #       group: "gateway.networking.k8s.io"
+    #     backendRefs:          # optional: overrides the global backendRefs above for this policy
+    #       - group: ""
+    #         kind: Service
+    #         name: keycloak
+    #         namespace: keycloak
+    #         port: 80
     #     authorizationRules:
     #       - name: member-of-staff-group
     #         action: Allow