Email validation link - CodeVerifier issue


I’m facing an issue with the e-mail validation process for a self-registered user in Keycloak.

Here is the configuration I’ve applied in Keycloak :

  • Realm settings → Login :
    - User registration = ON
    - Verify Email = ON

  • Clients → my-OIDC-Client → Settings → Capabilities :
    - Client authentication : OFF
    - Authorization : OFF
    - Authentification flow : “Standard flow” enabled only

And here is the configuration I’ve applied at the website side (we are using this plug-in : react-oauth2-code-pkce - npm):

clientId: ‘<my_OIC_client>’,
authorizationEndpoint: ${KEYCLOAK_ENDPOINT}/auth,
logoutEndpoint: ${KEYCLOAK_ENDPOINT}/logout,
tokenEndpoint: ${KEYCLOAK_ENDPOINT}/token,
redirectUri: https://<my_website_URL>/login,
logoutRedirect: https://<my_website_URL>/login,
scope: ‘profile openid’,
decodeToken: true,
autoLogin: true,

KEYCLOAK_ENDPOINT : https://<my_keycloak_URL>/realms/<my_OIDC_realm>/protocol/openid-connect

The login works fine : the user is correclty redirected to the Keycloak login page, then to the website when logged.

But if user needs to register via the Keycloak registration form, he recieves a link by e-mail that contains a validation link like this :

Opening this link actually validates the user’s email, and the user is instantly redirected to https://<my_website_URL>/login?code=<_a_generated_code>

If the link is opened in the same browser tab where the user made his regitration, the user is automatically logged.

But if the link is opened in a new tab, it results the following error in the Javascript console :

Error: Can't get tokens without the CodeVerifier. 
Has authentication taken place ?

I wonder what would be the best way to avoid this behavior. It seems that the “tab_id” in the generated validation link forces the user to use the same tab. Is there a configuration that I missed, or a protocol incompatibility with my applied configuration ?

Hello! Did you manage to solve the issue?