I am using Keycloak 10.0.1. I am trying to setup Identity Brokering between an OIDC Provider and another application. I was able to achieve successful user login when the ID Tokens were not encrypted.
I am trying to configure Keycloak to be able to accept encrypted ID Token. But when setting up an OIDC identity provider in Keycloak in “Identity Providers”, there was no option to explicitly indicate that the ID Tokens would be encrypted, nor was there any option to indicate what key to use for decryption.
I have tried adding a self generated RSA key to “Realm Settings > Keys”, and did configuration at the OIDC Provider end to use the public key for encryption. In the JWE representation of the encrypted ID Token, the JOSE header contains “RSA-OAEP-256” in the “alg”, and “A256CBC-HS512” in the “enc”. However, now with encryption enabled, I get the following exception when I try to login from the OIDC Provider:
ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-94) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: Invalid token
I have tested separately to confirm that the encrypted ID token has been generated properly. The OIDC provider that I have been using is this: https://github.com/panva/node-oidc-provider
Is there anything which I may have misconfigured?