I am using Keycloak 26.0 as Identity Provider in a docker container.
In a realm I configured an external Identity Provider that works correctly when I test it directly (for i.e. with apache mod_auth_openidc). But In keycloak the authentication failed when trying to read the UserInfo token (all previous step including authentication toward the external Idp succeed).
This IdP is sending a signed Token with algorithme RS256. I configured this algorithm too as well as the jwksURL from the keycloak admin console.
In the keycloak container I can chek in the log that the JWT token sent is correct (I can read it correctly from an online JWT decoder ). But keycloak cannot parse it correctly. Here are some error in the logs :
2025-03-25 15:31:42 2025-03-25 14:31:42,153 DEBUG [.apache.http.wire] (executor-thread-49) http-outgoing-2 >> "GET /api/v2/userinfo HTTP/1.1[\r][\n]" 2025-03-25 15:31:42 2025-03-25 14:31:42,200 DEBUG [.apache.http.wire] (executor-thread-49) http-outgoing-2 << "Content-Type: application/jwt; charset=utf-8[\r][\n]"
….
2025-03-25 15:31:42 2025-03-25 14:31:42,204 ERROR [.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (executor-thread-49) Failed to make identity provider oauth callback: .keycloak.broker.provider.IdentityBrokerException: Could not fetch attributes from userinfo endpoint.
2025-03-25 15:31:42 at .keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:445) 2025-03-25 15:31:42 at .keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:557).
….
2025-03-25 15:31:42 Caused by: java.lang.RuntimeException: Failed to parse JWT header 2025-03-25 15:31:42 at .keycloak.jose.JOSEParser.parse(JOSEParser.java:36) 2025-03-25 15:31:42 at .keycloak.broker.oidc.OIDCIdentityProvider.parseTokenInput(OIDCIdentityProvider.java:635) 2025-03-25 15:31:42 at .keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdentityProvider.java:696) 2025-03-25 15:31:42 at .keycloak.broker.oidc.OIDCIdentityProvider.processAccessTokenResponse(OIDCIdentityProvider.java:262).
….
2025-03-25 15:31:42 Caused by: com.fasterxml.jackson.core.JsonParseException: Invalid UTF-8 middle byte 0x7d 2025-03-25 15:31:42 at [Source: REDACTED (StreamReadFeature.INCLUDE_SOURCE_IN_LOCATIONdisabled); line: 1, column: 5] 2025-03-25 15:31:42 at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:2572) 2025-03-25 15:31:42 at com.fasterxml.jackson.core.JsonParser._constructReadException(JsonParser.java:2598)
How can I fix this problem ?
[EDIT] : sometimes the error message is quite different :
Caused by: com.fasterxml.jackson.core.JsonParseException: Unexpected character ((CTRL-CHAR, code 155)): expected a valid value (JSON String, Number, Array, Object or token 'null', 'true' or 'false') at [Source: REDACTED (
StreamReadFeature.INCLUDE_SOURCE_IN_LOCATIONdisabled); line: 1, column: 1].
at com.fasterxml.jackson.core.JsonParser._constructReadException(JsonParser.java:2648).
Maybe keycloak cannot decode a wrong encoded caracter ?? But I cannot see this char in the token fined in log file .
[EDIT2] : the issue only occurs when keycloak runs in a docker container. If I install an run keycloak directly on mas MacOS the authentication succeed. I checked the local encodin in container, everything seems correct :
ENV LANG=en_US.UTF-8
ENV LC_ALL=en_US.UTF-8
ENV JAVA_OPTS="-Dfile.encoding=UTF-8"
So i'm wondering what could be the issue ?