When using oauth2/openid connect authentication module, the client always authenticates to OpenID Connect provider using client_secret_post.
It would be good if the authentication module could be configured so that the client uses private_key_jwt for authentication if required.
The implementation should also define a URL to expose the client's public key.
Note that the provider side of OpenAM allows clients to authenticate that way. It would make sense to have the corresponding feature on the client side.