KeyCloak 19.0.2 Used as Identity Broker to an openid-connect login applet


I’m trying to set up KeyCloak as an Identity Broker to an openid-connect login applet. The login server is run in-house, but developed by a third party.

The specification calls for “JWT signed with a private key”. The JSON returned from the JWKS URL looks like:

After a successful login at the login applet, KeyCloak sends a POST request to the token endpoint, looking like this:
“alg”: “RS256”,
“typ”: “JWT”,
“kid”: “yvG53Y212xRAUy4Zxb0xpM090E5hNNGt4pXywd8X_y4”
“exp”: 1663584984,
“iat”: 1663584924,
“jti”: “9bfc2d53-242a-4c21-b504-185f20cf1cdf”,
“iss”: “commfides-oidc-multicert”,
“aud”: “øyt&client_id=commfides-oidc-multicert”,
“sub”: “commfides-oidc-multicert”,
“typ”: “JWT”

while the third party developer claims that it should be like:
“x5t#S256”: “c0ea76e6739795101e1d2db73e14cdd45c02b311fb1b61d3f23561e5f9cd15d7”,
“x5t”: “b8d196a51a25940cef3dca85c273ca2455c4c48c”,
“x5c”: [
“<Base 64 encoded certificate>”,
“<Base 64 encoded certificate>”
“typ”: “JWT”,
“alg”: “RS256”
“sub”: “IBM”,
“aud”: http://localhost:8080/cip/token,
“nbf”: 1648813508,
“iss”: “IBM”,
“exp”: 1648814108,
“iat”: 1648813508,
“jti”: “b3937614-f2a9-4e76-965d-9404408e38fc”

Am I configuring something wrong in KeyCloak, or are the instructions from our third party provider wrong?