Trying to implement OpenID Connect with Keycloak but I always get "Invalid client" or "Invalid client credentials"

I’m integrating OpenID Connect with Keycloak for client authentication but consistently encounter the error message: “Invalid client” or “Invalid client credentials”. Setup Overview I have configured Keycloak to use JWT-based client authentication. Here are the relevant settings: Client Authentication: Enabled, which has set the client to confidential mode. Signature Algorithm: Set to RS256 in Keycloak. Credentials Tab: The Client Authenticator is configured to use Signed JWT. The client I’m working with requires the following JWT header for authentication:


{
“alg”: “RSA-OAEP-256”,
“cty”: “JWT”,
“enc”: “A256GCM”,
“kid”: “po6QKfVcfFpGOyWOGMKsvmOFugOHXId6w5kyo6vw1W8”
}

Problem
Keycloak successfully decrypts the incoming JWT and I can access the decrypted data in keycloakSession. However, when Keycloak attempts to redirect back to the client with the authorization code, I receive an error indicating that the client is invalid or client credentials are invalid.

after a success context i get this error 2024-11-01 17:39:27,252 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (executor-thread-8) AUTHENTICATE CLIENT
2024-11-01 17:39:27,252 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (executor-thread-8) client authenticator: client-secret
2024-11-01 17:39:27,252 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (executor-thread-8) client authenticator: client-jwt
2024-11-01 17:39:27,252 ERROR [org.keycloak.services] (executor-thread-8) KC-SERVICES0025: Error when validating client assertion: org.keycloak.jose.jws.JWSInputException: java.lang.IllegalArgumentException: Parsing error
at org.keycloak.jose.jws.JWSInput.(JWSInput.java:59)
at org.keycloak.authentication.authenticators.client.JWTClientAuthenticator.authenticateClient(JWTClientAuthenticator.java:111)
at
Question
How can I configure Keycloak to correctly handle this encrypted JWT throughout the OpenID Connect flow, including the final redirect to the client? Would a custom Keycloak authenticator be required to fully support the RSA-OAEP-256/A256GCM encryption throughout the process, or is there another approach to prevent the “Invalid client” error at the end?