How can I debug a 'KidNotFound' error when implimenting GitLab SSO with Azure AD as IdP?

Question

I am trying to integrate our self-managed GitLab 15.9.3-ee instance with our Azure AD. Using Azure AD as the IdP for SSO in to GitLab, I have been using the documentation here:

https://docs.gitlab.com/ee/administration/auth/oidc.html

https://docs.gitlab.com/ee/integration/omniauth.html

https://docs.gitlab.com/ee/integration/azure.html

to set up OmniAuth to use OpenIdConnect to access our login.microsoftonline.com V2 end point on our development Azure Tennant. The config required in omniauth_providers [] differs slightly between documents, this is what I am currently using:

gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ["azure_activedirectory_v2"]
gitlab_rails['omniauth_auto_link_ldap_user'] = false
gitlab_rails['omniauth_block_auto_created_users'] = true
gitlab_rails['omniauth_auto_link_user'] = ["azure_activedirectory_v2"]


gitlab_rails['omniauth_providers'] = [
  {
    name: "azure_activedirectory_v2",
    args: {
      name: "azure_activedirectory_v2",
      strategy_class: "OmniAuth::Strategies::OpenIDConnect",
      scope: ["openid", "profile", "email"],
      response_type: "code",
      issuer:  "https://login.microsoftonline.com/6b72c6a7-3624-4c78-82ea-8901960e56c3/v2.0",
      client_auth_method: "query",
      discovery: true,
      uid_field: "preferred_username",
      send_scope_to_token_endpoint: "false",
      pkce: true,
      client_options: {
        identifier: "386481e3-7a0e-4ba3-b85c-d1baa1716276",
        secret: "nev8Q~bGETvJNqdm58__xGG.mZjmcfIsS69hZanZ",
        redirect_uri: "https://gitlab.dev.scalable.com/users/auth/azure_activedirectory_v2/callback"
      }
    }
  }
]

I can see the Azure login button on the login page and the Azure AD v2 button to Connect to Azure AD button in: GitLab-> User Dropdown-> Edit Profile-> Account-> Service sign-in. When I press the Connect button, in the Azure logs it records the authentication as successful, but in the GitLab application.log, I get an Authentication failure! JSON::JWK::Set::KidNotFound error.

2023-05-24T14:40:28.421Z: (openid_connect) Request phase initiated.
2023-05-24T14:40:29.113Z: (openid_connect) Callback phase initiated.
2023-05-24T14:40:29.627Z: (openid_connect) Authentication failure! JSON::JWK::Set::KidNotFound: JSON::JWK::Set::KidNotFound, JSON::JWK::Set::KidNotFound

This happens whether I am using either the azure_activedirectory_v2 or the openid_connect callbacks. I have tried a few different values for uid_field:, such as: oid, sub, name, email, mail, preferred_username, user.name... and a few more besides. So I was wondering if there was any more recent documentation that covered Azure AD setup from scratch, or a better source of debugging information?

Or am I just doing somethign wrong?