Keycloak 15.0.2 - Sub claim replacement fails with Invalid JWT when attribute-mapper but works with script-mapper. Why?

Hello,

I’m trying to replace the sub claim on the AccessToken but I’m facing an issue which I can’t explain.

While replacing the sub claim, if the replacement is done with a oidc-usermodel-attribute-mapper, the token validation will fail on Envoy with an “Invalid JWT” message.
Here’s the protocolMapper as is in the realm-export.json file:

        {
          "id": "6b15d413-71da-4adc-a026-37289c359f0b",
          "name": "originalid-subject-mapper",
          "protocol": "openid-connect",
          "protocolMapper": "oidc-usermodel-attribute-mapper",
          "consentRequired": false,
          "config": {
            "userinfo.token.claim": "true",
            "user.attribute": "originalId",
            "id.token.claim": "true",
            "access.token.claim": "true",
            "claim.name": "sub",
            "jsonType.label": "String"
          }
        }

However, doing exactly the same thing (meaning, the final AccessToken is exactly the same) with a oidc-script-based-protocol-mapper works just fine and the validation works.
Here’s the config also from the realm file:

        {
          "id": "54bc90bb-6ca5-4a91-aea6-2e864491cfc0",
          "name": "originalid-subject-mapper",
          "protocol": "openid-connect",
          "protocolMapper": "oidc-script-based-protocol-mapper",
          "consentRequired": false,
          "config": {
            "userinfo.token.claim": "true",
            "id.token.claim": "true",
            "access.token.claim": "true",
            "claim.name": "sub",
            "jsonType.label": "String",
            "script": "token.setSubject(user.getFirstAttribute(\"originalId\"));"
          }
        }

Why does this happen? It’s totally baffling me