I'm working on a provider where it is required by external factors that the id token and the userinfo always be encrypted. The server itself is and must be zero-knowledge (as weird as it sounds).
In my understanding the core spec does not forbid this. Dynamic client registration is also supported but all id_token_encrypted*/userinfo_encrypted* client metadata parameters are overridden by the server if they were not provided. According to the spec the server is allowed to do this.
The discovery spec however doesn't seem to support the idea since there is no way to tell the client that unencrypted responses will not be returned.
The conformance testing tool also seems to assume the response is unencrypted. In order to be able to run the tests I had to make an exception for this specific client. Now I only return signed responses, but even if this passes, it's not the real thing.
Does this prevent me from getting verified or I may pass verification using this slightly modified server while requiring real clients to support encryption?
One cannot certify without supporting unencrypted RSA SHA-256 signed ID tokens. However, you can certify a software implementation and then disable particular algorithms at deployment time.
edit: the only exception to this is supporting "none" but that is not relevant for your case