As part of the OAuth2 secrets integration, care was taken to ensure that key store secret stores are using the same stable IDs (key IDs) as previously, so that JWTs remain compatible. Unfortunately it seems that the HSM secret store did not receive the same treatment, which should mean that when secrets are stored in HSM secret stores, they are reporting the key aliases as key IDs - potentially breaking backwards compatibility.
- Set up HSM secret store in realm
- configure OIDC provider in realm
- issue id_tokens that utilize secrets from the HSM secret store to sign the id_token
The key ID corresponding to the private key should be the same value as what one would see when using keystore secret stores.
The key ID in the id_token JWT is the key alias.