diff --git a/charts/identity-gatekeeper/Chart.yaml b/charts/identity-gatekeeper/Chart.yaml
index 35cc4e8..ad55dc9 100644
--- a/charts/identity-gatekeeper/Chart.yaml
+++ b/charts/identity-gatekeeper/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.3
+version: 1.0.4
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/charts/identity-gatekeeper/templates/_helpers.tpl b/charts/identity-gatekeeper/templates/_helpers.tpl
index 65872a2..8b0459f 100644
--- a/charts/identity-gatekeeper/templates/_helpers.tpl
+++ b/charts/identity-gatekeeper/templates/_helpers.tpl
@@ -79,4 +79,11 @@ Return the target Kubernetes version
 */}}
 {{- define "identity-gatekeeper.kubeVersion" -}}
   {{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride }}
-{{- end -}}
\ No newline at end of file
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "identity-gatekeeper.proxyServiceUrl" -}}
+http://{{ include "identity-gatekeeper.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.proxy.port }}
+{{- end }}
diff --git a/charts/identity-gatekeeper/values.yaml b/charts/identity-gatekeeper/values.yaml
index c8e7efe..8eb652b 100644
--- a/charts/identity-gatekeeper/values.yaml
+++ b/charts/identity-gatekeeper/values.yaml
@@ -100,9 +100,16 @@ ingress:
       add_header Access-Control-Allow-Methods "*";
       add_header Access-Control-Allow-Headers "Authorization, Origin, Content-Type";
     nginx.ingress.kubernetes.io/server-snippet: |
+      # Open endpoints provided by gatekeeper itself
+      # - which should passthru to gatekeeper, rather than the 'target' protected service,
+      # without need for any auth.
+      location /oauth/(authorize|callback|expired|health|login|logout|token|metrics|discovery) {
+        proxy_pass {{ include "identity-gatekeeper.proxyServiceUrl" . }}/$request_uri;
+      }
+      # Endpoint for the nginx 'auth_request' - which directs to gatekeeper
       location ^~ /auth {
         internal;
-        proxy_pass http://{{ include "identity-gatekeeper.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.proxy.port }}/$request_uri;
+        proxy_pass {{ include "identity-gatekeeper.proxyServiceUrl" . }}/$request_uri;
         proxy_pass_request_body off;
         proxy_set_header Content-Length "";
         proxy_set_header X-Forwarded-Proto $scheme;