OpenID Provider [oidc] did not return a nonce

Hi! I’m facing this problem with Keycloak 11 using an external OIDC identity provider owned by customer. After the authentication flow KC shows the error screen and logs this:

13:15:57,417 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-14) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: OpenID Provider [oidc] did not return a nonce

Analyzing requests exchange here is what i found:
We send request to IDP:

https://customer.authenticationprovider.com/oauth/authorize?scope=.......&state=jeyYDts-Og9n6_xCmsLZbIFYgpEWBUuiRMyIxKvHKww.IHTW18ftmW0.myrealm&response_type=code&client_id=my-client-id&redirect_uri=https%3A%2F%2Fmykecylcoak.domain.com%2Fauth%2Frealms%2Fmyrealm%2Fbroker%2Foidc-business%2Fendpoint&prompt=login&nonce=G48quNB66mHQ7_DenQghuA

IDP, after login, return to returnUrl without nonce parameter:

https://mykecylcoak.domain.com/auth/realms/myrealm/broker/oidc-business/endpoint?code=SJ2cXGWB6nkvZ09onMRUVJZ40qMq4vNFFSHo_2mA1Do&state=jeyYDts-Og9n6_xCmsLZbIFYgpEWBUuiRMyIxKvHKww.IHTW18ftmW0.myrealm

Do you think is a problem IDP side? This control can be disabled Keycloak side?

hi claudiomerlientando,

we am facing the same szanario. our customers ipd returns a nonce parameter and we want to reproduce with our keycloak idp but we can not find an option to return the nonce parameter.

kind regards

Hi @Starsek, we solved by creating a custom image which handle an environment variable “USE_NONCE” wich activate or deactivate the check on nonce parameter

Hey @claudiomerlientando, thanks for responsing. do you mean a docker-image with “custom image”?

Hi @Starsek, sorry for the late response, yes, a custom image.