The message is not very clear “INVALID_KEY” but as it has been raised by checkSignatureKeySize, I’ve been able to find that the minimum key length authorized is 2048 ( see code https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java ).
So we have to change the rsa key of our keycloak server which is a 1024 bit length.