diff --git a/src/OpenIddict.Client/OpenIddictClientHandlers.Protection.cs b/src/OpenIddict.Client/OpenIddictClientHandlers.Protection.cs
index 049fd2a3..de89f99a 100644
--- a/src/OpenIddict.Client/OpenIddictClientHandlers.Protection.cs
+++ b/src/OpenIddict.Client/OpenIddictClientHandlers.Protection.cs
@@ -251,6 +251,14 @@ public static partial class OpenIddictClientHandlers
                 var result = await context.SecurityTokenHandler.ValidateTokenAsync(context.Token, context.TokenValidationParameters);
                 if (!result.IsValid)
                 {
+                    // If validation failed because of an unrecognized key identifier and a client
+                    // registration is available, inform the configuration manager that the configuration
+                    // MAY have be refreshed by sending a new discovery request to the authorization server.
+                    if (context.Registration is not null && result.Exception is SecurityTokenSignatureKeyNotFoundException)
+                    {
+                        context.Registration.ConfigurationManager.RequestRefresh();
+                    }
+
                     context.Logger.LogTrace(result.Exception, SR.GetResourceString(SR.ID6000), context.Token);
 
                     context.Reject(