Keycloak as broker - Token is no longer valid

Hey guys,

In my keycloak instance launched on a test server, i configured an identity provider nicely with well-known openid configuration.

When i try to connect to Keycloak client account home url (https://MY_KEYCLOAK_SERVER_URL/realms/MY_REALM_NAME/account/), i select my IDP and i’m well redirect to it’s login page, i fill my user credentials and when i submit the page, i get this error :
“Unexpected error when authenticating with identity provider”

In keycloak server logs, i have this error :
2023-02-24 20:07:20,390 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-0) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1323/0x0000000840bb1c40
2023-02-24 20:07:22,496 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (executor-thread-4) Will use client ‘account-console’ in back-to-application link
2023-02-24 20:07:22,497 DEBUG [org.keycloak.services.util.CookieHelper] (executor-thread-4) AUTH_SESSION_ID cookie found in the request header
2023-02-24 20:07:22,497 DEBUG [org.keycloak.services.util.CookieHelper] (executor-thread-4) AUTH_SESSION_ID cookie found in the cookie field
2023-02-24 20:07:22,497 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (executor-thread-4) Found AUTH_SESSION_ID cookie with value bbf81d41-7623-4e17-a30b-2b68b9bd9679.app4-inte
gration-61742
2023-02-24 20:07:22,498 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (executor-thread-4) Authorization code is valid.
2023-02-24 20:07:22,503 DEBUG [org.keycloak.connections.httpclient.DefaultHttpClientFactory] (executor-thread-4) Trying to use proxy mapping from env vars
2023-02-24 20:07:22,504 DEBUG [org.keycloak.connections.httpclient.DefaultHttpClientFactory] (executor-thread-4) httpProxy: null, noProxy: null
2023-02-24 20:07:22,506 WARN [org.keycloak.connections.httpclient.DefaultHttpClientFactory] (executor-thread-4) TruststoreProvider is disabled
2023-02-24 20:07:23,451 DEBUG [org.keycloak.keys.infinispan.InfinispanPublicKeyStorageProvider] (executor-thread-4) Public keys retrieved successfully for model f41c2983-c1ee-467c-8771-af0735d6964b:
:idp::6ee65f96-d5ba-487c-9e14-5e1a4c0b3649. New kids: [ed3c42c210d4a942bcb9bb78b86ed339e657caf223916b9ddf5f7bb8218641845379c04ddbea1889e888b644850b387cded1a169f7af4e9545b53e43a7da82e6sig]
2023-02-24 20:07:23,457 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (executor-thread-6) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrok
erException: Token is no longer valid
at org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdentityProvider.java:629)
at org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdentityProvider.java:607)
at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:388)
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:505)

With the identity provider workers, we tried to modify keycloak realm settings like :
Access Token Lifespan (2 days)
Access Token Lifespan For Implicit Flow (4 days)
Client Login Timeout (4 days)
User-Initiated Action Lifespan (2 days)
Default Admin-Initiated Action Lifespan (2 days)
I tried with keycloak version 20.0.2 and 21.0.0.

We passed theses values as days to be sure it was not a expiration token problem.
We verified the two server Keycloak and the IDP one, they have the same timezone, the redirect uri is well specified.
We checked also token signature validation.

At this point, we don’t know what to do more to figure out this error ?
Can anyone please give an help ?