@lrodriguez14 Hello, current Keycloak only supports Key Encryption for negotiating which CEK is used. How it works is as follows.

• Keycloak generates a CEK.
• Keycloak encrypts an ID Token by the CEK (algorithm "enc" = A128GCM, A192GCM, A256GCM, A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 defined in JWA).
• Keycloak encrypts the CEK by using client app's public key (algorithm "alg" = RSA1_5, RSA-OAEP or RSA-OAEP-256 defined in JWA).
• Keycloak constructs an ID Token as JWE.
• Client App gets an encrypted CEK from a JWE encoded ID token and decrypt CED by using its private key (algorithm "alg" = RSA1_5, RSA-OAEP or RSA-OAEP-256 defined in JWA).
• Client App decrypts the JWE encoded ID token by using the CEK (algorithm "enc" = A128GCM, A192GCM, A256GCM, A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 defined in JWA).

How a client app tells its public key used for encrypting CEK to Keycloak is described in Server Administration Guide.
Namely, using JWKS_URI. JWKS also might be work. Please refer to Keys tab of a client on Admin Console.