Oathkeeper is exposed via its public port, but for JWT consumers to have access to public keys in JWKS, they need to be able to fetch it. So I guess i should also expose the
.well-known/jwks.json path from oathkeeper api path. Otherwise I am not exposing the api paths, because they seem sensitive. Am I understanding this right?
You can, but only if you use public/private keys (RSA, ECDSA, …). If you include symmetric keys (HS / HMAC-SHA) do not expose the endpoint!