From what I can find, we only briefly mention not supporting jku in a specific context in the AM OAuth2 docs:
The jwe and jku formats are not supported, the public key must be represented in jwk format.
As of https://bugster.forgerock.org/jira/browse/CREST-273, FR products using these commons versions and above are able to receive JWTs containing the jku (but we don't actually use it, it just stops breaking OIDC flows). Before this fix, OAuth2/OIDC flows using JWTs containing jku claims completely fail.
Can we make sure there are clear notices in all product docs before the change (to not use them at all) and after the change, that we will parse it but not use it. In AM for example, we should at least mention this in Authentication, OAuth2, OIDC docs.