...
OidcKeysService returns a JWK key set containing a public verification JWK key. By default only a public key is returned but the service can also be configured for JWK key to include the corresponding X509 certificate chain too. Use this service if IdToken is signed by a private RSA or EC key for the client be able to fetch the verification keys without having to import them into local key stores. The OidcKeysService can also return a public key stored in a JWK keys file, by specifying the id of the key via "rs.security.keystore.alias" and specifying the type of the keystore ("rs.security.keystore.type") as "jwk".
OidcDynamicRegistrationService
...