Local SP login was issuing tokens from the local CSS provider while serving JWKS from the external account issuer. That split makes Inrupt reject the redirect because the token kid cannot be found in the advertised JWKS.

The auto-detect OIDC handler is now only a pass-through sentinel, so discovery, token, and JWKS all fall through to CSS's local OIDC handler. Tests cover both the handler-level contract and a runtime Local SP with a mock external issuer.

Constraint: Local SP uses external Cloud for account authority, but OIDC token validation must remain same-origin with the selected storage provider.

Rejected: Proxy external issuer JWKS | local CSS signs the token, so external keys cannot verify it.

Confidence: high

Scope-risk: narrow

Directive: Do not reintroduce external JWKS proxying for Local SP unless token issuance is also moved to that same issuer.

Tested: bun run check:platform-package-version

Tested: bun run build:ts

Tested: bun run test:run tests/identity/oidc/AutoDetectOidcHandler.test.ts tests/runtime/XpodRuntime.integration.test.ts -t 'AutoDetectOidcHandler|Local SP OIDC key material'