I’m facing this problem with Keycloak 11 using an external OIDC identity provider owned by customer. After the authentication flow KC shows the error screen and logs this:
13:15:57,417 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-14) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: OpenID Provider [oidc] did not return a nonce
Analyzing requests exchange here is what i found: We send request to IDP:
https://customer.authenticationprovider.com/oauth/authorize?scope=.......&state=jeyYDts-Og9n6_xCmsLZbIFYgpEWBUuiRMyIxKvHKww.IHTW18ftmW0.myrealm&response_type=code&client_id=my-client-id&redirect_uri=https%3A%2F%2Fmykecylcoak.domain.com%2Fauth%2Frealms%2Fmyrealm%2Fbroker%2Foidc-business%2Fendpoint&prompt=login&nonce=G48quNB66mHQ7_DenQghuA
IDP, after login, return to returnUrl without nonce parameter:
https://mykecylcoak.domain.com/auth/realms/myrealm/broker/oidc-business/endpoint?code=SJ2cXGWB6nkvZ09onMRUVJZ40qMq4vNFFSHo_2mA1Do&state=jeyYDts-Og9n6_xCmsLZbIFYgpEWBUuiRMyIxKvHKww.IHTW18ftmW0.myrealm
Do you think is a problem IDP side? This control can be disabled Keycloak side?