diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json
index a3230ac9..42ecc83f 100644
--- a/Godeps/Godeps.json
+++ b/Godeps/Godeps.json
@@ -21,23 +21,23 @@
 		},
 		{
 			"ImportPath": "github.com/coreos/go-oidc/http",
-			"Rev": "48e2a9be3918af3299c4b390399346447eefea22"
+			"Rev": "145916abb78708694762ff359ab1e34c47c7947f"
 		},
 		{
 			"ImportPath": "github.com/coreos/go-oidc/jose",
-			"Rev": "48e2a9be3918af3299c4b390399346447eefea22"
+			"Rev": "145916abb78708694762ff359ab1e34c47c7947f"
 		},
 		{
 			"ImportPath": "github.com/coreos/go-oidc/key",
-			"Rev": "48e2a9be3918af3299c4b390399346447eefea22"
+			"Rev": "145916abb78708694762ff359ab1e34c47c7947f"
 		},
 		{
 			"ImportPath": "github.com/coreos/go-oidc/oauth2",
-			"Rev": "48e2a9be3918af3299c4b390399346447eefea22"
+			"Rev": "145916abb78708694762ff359ab1e34c47c7947f"
 		},
 		{
 			"ImportPath": "github.com/coreos/go-oidc/oidc",
-			"Rev": "48e2a9be3918af3299c4b390399346447eefea22"
+			"Rev": "145916abb78708694762ff359ab1e34c47c7947f"
 		},
 		{
 			"ImportPath": "github.com/coreos/pkg/capnslog",
diff --git a/Godeps/_workspace/src/github.com/coreos/go-oidc/key/key.go b/Godeps/_workspace/src/github.com/coreos/go-oidc/key/key.go
index 3edae468..de625037 100644
--- a/Godeps/_workspace/src/github.com/coreos/go-oidc/key/key.go
+++ b/Godeps/_workspace/src/github.com/coreos/go-oidc/key/key.go
@@ -135,7 +135,7 @@ func (s *PrivateKeySet) Active() *PrivateKey {
 type GeneratePrivateKeyFunc func() (*PrivateKey, error)
 
 func GeneratePrivateKey() (*PrivateKey, error) {
-	pk, err := rsa.GenerateKey(rand.Reader, 1024)
+	pk, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		return nil, err
 	}
diff --git a/Godeps/_workspace/src/github.com/coreos/go-oidc/key/repo.go b/Godeps/_workspace/src/github.com/coreos/go-oidc/key/repo.go
index 1d4ce8d3..1acdeb36 100644
--- a/Godeps/_workspace/src/github.com/coreos/go-oidc/key/repo.go
+++ b/Godeps/_workspace/src/github.com/coreos/go-oidc/key/repo.go
@@ -1,6 +1,9 @@
 package key
 
-import "errors"
+import (
+	"errors"
+	"sync"
+)
 
 var ErrorNoKeys = errors.New("no keys found")
 
@@ -22,6 +25,7 @@ func NewPrivateKeySetRepo() PrivateKeySetRepo {
 }
 
 type memPrivateKeySetRepo struct {
+	mu  sync.RWMutex
 	pks PrivateKeySet
 }
 
@@ -33,11 +37,17 @@ func (r *memPrivateKeySetRepo) Set(ks KeySet) error {
 		return errors.New("nil KeySet")
 	}
 
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
 	r.pks = *pks
 	return nil
 }
 
 func (r *memPrivateKeySetRepo) Get() (KeySet, error) {
+	r.mu.RLock()
+	defer r.mu.RUnlock()
+
 	if r.pks.keys == nil {
 		return nil, ErrorNoKeys
 	}
diff --git a/Godeps/_workspace/src/github.com/coreos/go-oidc/key/sync.go b/Godeps/_workspace/src/github.com/coreos/go-oidc/key/sync.go
index 076ee462..e8d5d03d 100644
--- a/Godeps/_workspace/src/github.com/coreos/go-oidc/key/sync.go
+++ b/Godeps/_workspace/src/github.com/coreos/go-oidc/key/sync.go
@@ -29,7 +29,7 @@ func (s *KeySetSyncer) Run() chan struct{} {
 		var failing bool
 		var next time.Duration
 		for {
-			exp, err := sync(s.readable, s.writable, s.clock)
+			exp, err := syncKeySet(s.readable, s.writable, s.clock)
 			if err != nil || exp == 0 {
 				if !failing {
 					failing = true
@@ -62,12 +62,12 @@ func (s *KeySetSyncer) Run() chan struct{} {
 }
 
 func Sync(r ReadableKeySetRepo, w WritableKeySetRepo) (time.Duration, error) {
-	return sync(r, w, clockwork.NewRealClock())
+	return syncKeySet(r, w, clockwork.NewRealClock())
 }
 
-// sync copies the keyset from r to the KeySet at w and returns the duration in which the KeySet will expire.
+// syncKeySet copies the keyset from r to the KeySet at w and returns the duration in which the KeySet will expire.
 // If keyset has already expired, returns a zero duration.
-func sync(r ReadableKeySetRepo, w WritableKeySetRepo, clock clockwork.Clock) (exp time.Duration, err error) {
+func syncKeySet(r ReadableKeySetRepo, w WritableKeySetRepo, clock clockwork.Clock) (exp time.Duration, err error) {
 	var ks KeySet
 	ks, err = r.Get()
 	if err != nil {
diff --git a/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/client.go b/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/client.go
index 76330237..3a73e04a 100644
--- a/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/client.go
+++ b/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/client.go
@@ -101,34 +101,12 @@ type Client struct {
 	redirectURL    string
 	scope          []string
 	keySet         key.PublicKeySet
+	providerSyncer *ProviderConfigSyncer
 
 	keySetSyncMutex sync.RWMutex
 	lastKeySetSync  time.Time
 }
 
-type providerConfigRepo struct {
-	mu     sync.RWMutex
-	config ProviderConfig // do not access directly, use Get()
-}
-
-func newProviderConfigRepo(pc ProviderConfig) *providerConfigRepo {
-	return &providerConfigRepo{sync.RWMutex{}, pc}
-}
-
-// returns an error to implement ProviderConfigSetter
-func (r *providerConfigRepo) Set(cfg ProviderConfig) error {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-	r.config = cfg
-	return nil
-}
-
-func (r *providerConfigRepo) Get() ProviderConfig {
-	r.mu.RLock()
-	defer r.mu.RUnlock()
-	return r.config
-}
-
 func (c *Client) Healthy() error {
 	now := time.Now().UTC()
 
@@ -178,9 +156,13 @@ func chooseAuthMethod(cfg ProviderConfig) (string, error) {
 	return "", errors.New("no supported auth methods")
 }
 
+// SyncProviderConfig starts the provider config syncer
 func (c *Client) SyncProviderConfig(discoveryURL string) chan struct{} {
 	r := NewHTTPProviderConfigGetter(c.httpClient, discoveryURL)
-	return NewProviderConfigSyncer(r, c.providerConfig).Run()
+	s := NewProviderConfigSyncer(r, c.providerConfig)
+	stop := s.Run()
+	s.WaitUntilInitialSync()
+	return stop
 }
 
 func (c *Client) maybeSyncKeys() error {
@@ -340,3 +322,26 @@ func (c *Client) keysFuncAll() func() []key.PublicKey {
 		return c.keySet.Keys()
 	}
 }
+
+type providerConfigRepo struct {
+	mu     sync.RWMutex
+	config ProviderConfig // do not access directly, use Get()
+}
+
+func newProviderConfigRepo(pc ProviderConfig) *providerConfigRepo {
+	return &providerConfigRepo{sync.RWMutex{}, pc}
+}
+
+// returns an error to implement ProviderConfigSetter
+func (r *providerConfigRepo) Set(cfg ProviderConfig) error {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	r.config = cfg
+	return nil
+}
+
+func (r *providerConfigRepo) Get() ProviderConfig {
+	r.mu.RLock()
+	defer r.mu.RUnlock()
+	return r.config
+}
diff --git a/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/provider.go b/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/provider.go
index 1eca7a83..f2f165fd 100644
--- a/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/provider.go
+++ b/Godeps/_workspace/src/github.com/coreos/go-oidc/oidc/provider.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"sync"
 	"time"
 
 	"github.com/coreos/pkg/capnslog"
@@ -75,6 +76,9 @@ type ProviderConfigSyncer struct {
 	from  ProviderConfigGetter
 	to    ProviderConfigSetter
 	clock clockwork.Clock
+
+	initialSyncDone bool
+	initialSyncWait sync.WaitGroup
 }
 
 func NewProviderConfigSyncer(from ProviderConfigGetter, to ProviderConfigSetter) *ProviderConfigSyncer {
@@ -91,6 +95,7 @@ func (s *ProviderConfigSyncer) Run() chan struct{} {
 	var next pcsStepper
 	next = &pcsStepNext{aft: time.Duration(0)}
 
+	s.initialSyncWait.Add(1)
 	go func() {
 		for {
 			select {
@@ -105,6 +110,10 @@ func (s *ProviderConfigSyncer) Run() chan struct{} {
 	return stop
 }
 
+func (s *ProviderConfigSyncer) WaitUntilInitialSync() {
+	s.initialSyncWait.Wait()
+}
+
 func (s *ProviderConfigSyncer) sync() (time.Duration, error) {
 	cfg, err := s.from.Get()
 	if err != nil {
@@ -115,6 +124,11 @@ func (s *ProviderConfigSyncer) sync() (time.Duration, error) {
 		return 0, fmt.Errorf("error setting provider config: %v", err)
 	}
 
+	if !s.initialSyncDone {
+		s.initialSyncWait.Done()
+		s.initialSyncDone = true
+	}
+
 	log.Infof("Updating provider config: config=%#v", cfg)
 
 	return nextSyncAfter(cfg.ExpiresAt, s.clock), nil