I understand the solution (more of a workaround really), but I don’t think it will really work for many of our app owners. They use off-the-shelf libraries, like Spring Security, to handle the OIDC/OAuth2 flows to retrieve the id_token and access_token. In Spring Security I don’t see support for OAuth2 clients to have a list of secrets. So custom coding would be required of my app owners to do this key rotation, which seems like a big ask when some of our app owners are external clients.
Andrew