getting the exact same issue.

Are you trying to connect to EntraID as the Identity Provider? We're experiencing the same issue with EntraID as the IdP for Azure B2C.

Unfortunately, I don't have a solution, but have put this as an answer to add a fair bit of detail as to why this is failing with Azure B2C. Hopefully you might be able to use this to find the fix (and please share), or someone else might.

td;lr; it's not you, it's Microsoft's EntraID.

What is happening...

The .well-known/openid-configuration from the EntraID app contains the property "jwks_uri": "https://login.microsoftonline.com/{tenant-id}/discovery/v2.0/keys", which points to the list of keys that it uses to validate the JWT response (in the JWT header). This key [resource] is what is causing your JWT to not validate.

Why

EntraID's App is returning the wrong key set on this key [resource] url that it uses to key-off the JWT it provided. The correct keys set is retrievable by adding a query parameter of appId={client-id} to the end of that keys URL, returning the correct key(s) that it used on the JWT.

Basically...

https://login.microsoftonline.com/{tenant-id}/discovery/v2.0/keys?appId={client-id}

gives a different set of keys than

https://login.microsoftonline.com/{tenant-id}/discovery/v2.0/keys

Not sure why Microsoft has done this, since my hours of trying to fix this showed that it only applied to Microsoft's OIDC, while Google, and the others were fine.

where to next

Unfortunately, haven't found a fix yet for AzureB2C, since there is no way to control how it retrieves this keys resource....we'll none yet, but I'll update this answer when I do.

Hope that helps in finding a solution.