X509 Client Certificate authentication for OIDC clients


currently we are experiment with X509 certificates to authenticate OIDC clients. Unlike X509 certificates for users, importing the client CA is not sufficient, each public key of a OIDC client needs to be imported into the truststore.

Can someone verify, if this is that is true or do I missing something? Creating a new client looks painful, since it requires a restart of Keycloak itself and its hard to automate.