Unable to match keys when validating access token

The app I have configured is allows resource owner password flow, and I’m able to get an access token with a URLEncoded Post to $"{openIdDomain}oauth2/default/v1/token. I pass the client_id and client_secret as basic authentication and post a URLEncoded set of values:
grant_type = “password”,
scope = “openid”,
username = u,
password = p

That works, and I get back an access_token. When I decode the first part I observe the kid value and alg.

The next step is to get the configuration metadata. For that I do a GET to $"{openIdDomain}.well-known/openid-configuration"

The response that I get from that call includes both the jwks_uri and the JsonWebKeySet
However, the kid values in either the response from jwks_uri or the contents of the JsonWebKeySet do not match the kid in the access_token. Consequently when I try and validate the token (using .NET Core 2.1 JwtSecurityTokenHandler). I get Signature validation failed. Unable to match keys

There must be something I’m missing. I don’t understand why the kid in the access_token doesn’t agree with the kid value in the JsonWebKeySet from the openid-configuration.

— UPDATE ----
following this guide https://developer.okta.com/code/dotnet/jwt-validation
I determined that I was not going to the correct place to get the discovery document for the ConfigurationManager.

ConfigurationManager<OpenIdConnectConfiguration>($"{issuer}/.well-known/oauth-authorization-server"

solved it!