Outgoing auth (KC -> other IdP) Private key JWT assertion customisation

Hi There,
I have performed a relatively exhaustive search online and against chat GPT (gasp) to find an answer to this question and have yet to find anything specific. I’m hoping smarter people here might be able to point me in the right direction.

We have a keycloak server (v21/22) which is (as a client) required to fetch an access token from an OIDC provider (Auth0). i.e. KC is configured as a client in Auth0 and is to perform authentication against Auth0 to get an access token.

The desired authentication method is Private key JWT, where KC generates a private key JWT assertion, signs it and then exchanges it with Auth0 to get an access token. Auth0 has KC’s public key added and linked to KC’s client.

The challenge we’re facing is with KC’s generation of the PKJ assertion and the fact that KC and Auth0 both record KC’s public key ID against different values. From what we can tell, there isn’t a consistent standard for how a KID is generated, which is perhaps why?

When the KC generates the assertion, the KID is included in the assertion. However, the KID is that of the public key generated by keycloak, which differs from the KID that is stored in Auth0. Authentication fails, because Auth0 expects the assertion sent by KC to either have a KID (which matches the KID generated by Auth0), or no KID claim at all.

In our search we have found no information relating to customising the value of the KID in keycloak. Or at least no one seems to be asking that question. We have found a little bit of information relating to creating customisations but these seem to be for authentication in the opposite direction (KC being the provider of access tokens).

We already have a significant number of users and clients in our system so we are sensitive to changes which might affect existing entities. However, any help, guidance or gentle nudges in the right direction would be very much appreciated.

Thanks,
KH