No jwks_uri in /.well-known/oauth-authorization-server response?


I develop an OIDC-integrated application and we’ve recently had customers using Okta encounter errors around jwks_uri when attempting to log in. We found that a dependency of ours was checking /.well-known/oauth-authorization-server and expecting jwks_uri to always be present, but customers’ systems were receiving no jwks_uri in the otherwise valid response. (I saw in an IETF spec that jwks_uri is an optional value, so maybe a root issue is actually that this dependency isn’t upholding its end of the contract well here.)

We’ve been able to resolve this problem by targeting /.well-known/openid-configuration (which does appear to have jwks_uri in the response in every case we’ve seen) instead of oauth-authorization-server, but we’re still trying to understand why we’re just now starting to see these errors in systems that were previously interfacing with Okta smoothly. Does anyone please have any guidance about what conditions would cause jwks_uri to not be included in the oauth-authorization-server response?