Okta OpenID Connect Authentication for Red Hat Satellite/The Foreman

Red Hat’s documentation only covers oidc authentication against Red Hat SSO/Keycloak. I have been attempting to adapt the process to Okta, with only minor success. I am able to see in the Okta application logs and the mod_auth_openidc debug logs that authentication was successful. However, in the Satellite production.log I get the following error,
‘Failed to decode JWT’ error (JWT::DecodeError): Could not find public key for kid [cypher text]’

In Satellite I have the following settings,

Authorize login delegation: Yes
OIDC JWKs URL: https://[domain].okta.com/oauth2/v1/keys
OIDC Issuer: https://[domain].okta.com
OIDC Algorithm: RS256
OID Audience: [Client ID from Okta app configuration]

In the httpd configuration I have the following settings,
OIDCClientID [ClientID from Okta app configuration]
OIDCProviderMetadataURL https://[domain].okta.com/.well-known/openid-configuration
OIDCCryptoPassphrase [random phrase]
OIDCClientSecret [Client Secret from Okta app configuration]
OIDCRedirectURI https://[satellite url/users/extlogin/redirect_uri
OIDCRemoteUserClaim sub

<Location /users/extlogin>
AuthType openid-connect
Require valid-user
LogLevel debug

Any help sorting out this issue will be greatly appreciated.
Jeremy

Is https://[domain].okta.com/oauth2/v1/keys the correct OIDC JWKs URL?

I grabbed the OIDC access token and broke it into its three parts, then base64 decoded the header. The kid listed in that header is the same as what is in my production.log error, and it is not listed in the OIDC JWKs URL’s results.

I feel like there is something small I’m missing that will make all of this come together.