When setting up a second keycloak as identity provider I am forwarded correctly to the identity provider and back to the initial keycloak instance. So far so good, but as soon as I am forwarded back to the initial instance I receive an error page with the following log entry: 06:42:40,715 WARN [org.keycloak.events] (default task-25) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=<myrealm>, clientId=null, userId=null, ipAddress=<my ip>, error=invalid_code It is not really clear what the error is in this case. It seems that the second keycloak instance (the id. provider) generates a wrong authorization code, which is not accepted by the first keycloak instance. But as a user I do not really see how I could change that behaviour. It is not really clear what to do with this error. What ever is causing this error (which is obviously just a warning?) it has to be clearer. I attached the screenshots of the first keycloak instance id. provider configuration and the client configuration in the second keycloak instance. When using direct grant for the identity provider instance I can successfully fetch an access token. It is therefore no authorization issue itself (as I was successfully authenticated) but maybe rather related to the generation or parsing of the authorization code. Environment: Official docker image jboss/keycloak 3.3.0.CR1 for both instances Steps to reproduce: 1.setup 2 keycloak instances whereas one instance acts as identity provider (with the options set similar to the screenshots attached) 1.1 Use /auth/realms/myrealm/.well-known/openid-configuration to export the client config of the identity provider to import it as identity provider configuration 2. create a user in the identity provider instance 3. call /auth/realms/<myrealm>/protocol/openid-connect/auth?client_id=token-exchange&login=true&redirect_uri=<redirect-uri>&response_type=token&nonce=123 in the first keycloak instance and click on the identity provider button. 4. login with the user created