I'm trying to get jwt-bearer grant type to work. What I'm trying to do is accept Kubernetes service account tokens (JWT issued by K8S) as the assertion in the jwt-bearer grant type, then have Hydra call my token_hook endpoint so that I could consume that K8S token and return customized claims, which Hydra should then issue a new JWT for. Anyway I'm having difficulties trying to get Hydra to validate the initial k8s service account token, it says that it does not have keys for http://kubernetes.default.svc.cluster.local issuer. I've tried setting a couple of environment variables without success:

OAUTH2_EXPERIMENTAL_JWT_GRANT_VALIDATION_STRATEGY=jwt

OAUTH2_EXPERIMENTAL_JWT_GRANT_ASSERT_ISSUER=<https://kubernetes.default.svc.cluster.local>

OAUTH2_EXPERIMENTAL_JWT_GRANT_HOOK_URL=<http://idp.172.18.0.3.nip.io/jwt-bearer>

OAUTH2_EXPERIMENTAL_JWT_GRANT_JWKS_URLS=<https://kubernetes.default.svc.cluster.local/openid/v1/jwks>

The error message I get from Hydra is:

time=2025-06-24T13:01:13Z level=info msg=access denied audience=application error=map[debug:Unable to locate the resource message:invalid_grant reason:No public JWK was registered for issuer "<https://kubernetes.default.svc.cluster.local>" and subject "system:serviceaccount:demo:demo-account", and public key is required to check signature of JWT in "assertion" request parameter. stack_trace: ...

I cannot see any attempt to retrieve required material from https://kubernetes.default.svc.cluster.local/openid/v1/jwks, how can I register or ensure that this keys will get processed? Any solution is acceptable, pre-registering jwk or having hydra fetch them at runtime.