KeyCloak 19.0.2 Used as Identity Broker to an openid-connect login applet

Hi.

I’m trying to set up KeyCloak as an Identity Broker to an openid-connect login applet. The login server is run in-house, but developed by a third party.

The specification calls for “JWT signed with a private key”. The JSON returned from the JWKS URL looks like:
{“keys”:[
{“kty”:“RSA”,
“kid”:“85DD69A41…”,
“use”:“sig”,
“alg”:“RS256”,
“n”:“gWu5taOuI62LlL55…”,
“e”:“AQAB”,
“x5c”:[“”],
“x5t”:“oQdSEe…”,
“x5t#S256”:“lGl-zARsWO…”}
]}

After a successful login at the login applet, KeyCloak sends a POST request to the token endpoint, looking like this:
{
“alg”: “RS256”,
“typ”: “JWT”,
“kid”: “yvG53Y212xRAUy4Zxb0xpM090E5hNNGt4pXywd8X_y4”
}
{
“exp”: 1663584984,
“iat”: 1663584924,
“jti”: “9bfc2d53-242a-4c21-b504-185f20cf1cdf”,
“iss”: “commfides-oidc-multicert”,
“aud”: “https://app03.test.commfides.com/cip/token?acr_values=Høyt&client_id=commfides-oidc-multicert”,
“sub”: “commfides-oidc-multicert”,
“typ”: “JWT”
}

while the third party developer claims that it should be like:
{
“x5t#S256”: “c0ea76e6739795101e1d2db73e14cdd45c02b311fb1b61d3f23561e5f9cd15d7”,
“x5t”: “b8d196a51a25940cef3dca85c273ca2455c4c48c”,
“x5c”: [
“<Base 64 encoded certificate>”,
“<Base 64 encoded certificate>”
],
“typ”: “JWT”,
“alg”: “RS256”
}
{
“sub”: “IBM”,
“aud”: http://localhost:8080/cip/token,
“nbf”: 1648813508,
“iss”: “IBM”,
“exp”: 1648814108,
“iat”: 1648813508,
“jti”: “b3937614-f2a9-4e76-965d-9404408e38fc”
}

Am I configuring something wrong in KeyCloak, or are the instructions from our third party provider wrong?