Since Keycloak 20, it is required to set the openid scope when requesting a JWT, otherwise the application does not have access to the /userinfo OIDC endpoint.
openid
/userinfo