[keycloak-user] Keycloak as OIDC provider to AWS ALB, any hints!

​Hi, The AWS ALB​ will allow you to authenticate to cognito or OIDC nowadays. I thought "Great, I can connect it up to my KeyCloak". Sadly not. Well, I can connect it to KeyCloak and see sensible looking headers and JWTs flowing back and forth. And then the ALB says "500 Internal Server Error" :-( I can see a request to keycloak (from the client) : https://auth.care.surevine.com/auth/realms/care/protocol/openid-connect/a... And it 302 redirects back to the ALB : https://dev.care.surevine.com/oauth2/idpresponse?state=8sp1j3N3baPa1r%2BE... On the KeyCloak server I can see the POST requests from the browser coming in and hitting the authenticate URL, KC hands back a 302 (the URL above) Then the ALB does a POST to the token endpoint and gets a 200 response with a nice chunk of access token. I can decode it and see my details quite happily. I even validated the signature. (Using jwt.io 's debugger.) Although the ALB doesn't ask for the certificate at any stage, so I don't think it even bothers validating it. But it doesn't seem to like it. And gives me a 500 error. (I can authenticate with Google OIDC without any trouble...) (NB Any secrets in any of those strings won't get you very far, there is no content yet :-) )