There are a couple of things to check:

make sure that you've updated the issuer at the tenant screen: https://fusionauth.io/docs/v1/tech/core-concepts/tenants#general make sure you are using an asymmetric keypair to sign the id token. If you are using HMAC, which is the default for FusionAuth, you have to share a secret. Asymmetric algorithms like RSA256 are what proxies typically need (so they don't have to have the signing secret). More here: https://fusionauth.io/docs/v1/tech/core-concepts/applications#jwt and here: https://fusionauth.io/docs/v1/tech/core-concepts/key-master

Hope that helps.