@Test
  public void testSignatureVerificationHardcodedPublicKey() throws Exception {
    // Configure OIDC identity provider with JWKS URL
    IdentityProviderRepresentation idpRep = getIdentityProvider();
    OIDCIdentityProviderConfigRep cfg = new OIDCIdentityProviderConfigRep(idpRep);
    cfg.setValidateSignature(true);
    cfg.setUseJwksUrl(false);

    KeysMetadataRepresentation.KeyMetadataRepresentation key =
        ApiUtil.findActiveKey(providerRealm());
    cfg.setPublicKeySignatureVerifier(key.getPublicKey());
    updateIdentityProvider(idpRep);

    // Check that user is able to login
    logInAsUserInIDPForFirstTime();
    assertLoggedInAccountManagement();

    logoutFromRealm(bc.consumerRealmName());

    // Rotate public keys on the parent broker
    rotateKeys();

    // User not able to login now as new keys can't be yet downloaded (10s timeout)
    logInAsUserInIDP();
    assertErrorPage("Unexpected error when authenticating with identity provider");

    logoutFromRealm(bc.consumerRealmName());

    // Even after time offset is user not able to login, because it uses old key hardcoded in
    // identityProvider config
    setTimeOffset(20);

    logInAsUserInIDP();
    assertErrorPage("Unexpected error when authenticating with identity provider");
  }
  // Configure OIDC identity provider with JWKS URL and validateSignature=true
  private void updateIdentityProviderWithJwksUrl() {
    IdentityProviderRepresentation idpRep = getIdentityProvider();
    OIDCIdentityProviderConfigRep cfg = new OIDCIdentityProviderConfigRep(idpRep);
    cfg.setValidateSignature(true);
    cfg.setUseJwksUrl(true);

    UriBuilder b =
        OIDCLoginProtocolService.certsUrl(UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT));
    String jwksUrl = b.build(bc.providerRealmName()).toString();
    cfg.setJwksUrl(jwksUrl);
    updateIdentityProvider(idpRep);
  }