I searched more and found the RFC that specifies the OAuth2 specifications for Token_type, it should be case insensitive as specified here https://tools.ietf.org/html/rfc6749#section-4.2.2 : "token_type REQUIRED. The type of the token issued as described in Section 7.1<https://tools.ietf.org/html/rfc6749#section-7.1>;. Value is case insensitive." But in LemonLDAP::NG, the file that verifies if the token is valid isn't compliant with this because of the following line in /usr/share/perl5/Lemonldap/NG/Portal/_OpenIDConnect.pm:465 : "unless ( $json->{token_type} eq "Bearer" ) {" So in fact it wasn't a problem on Keycloak's side, but LL::NG. Best regards, Olivier Nappert De : NAPPERT Olivier Envoyé : vendredi 21 juillet 2017 16:38 À : &#39;keycloak-user(a)lists.jboss.org&#39; Objet : Keycloak OpenIDConnect bearer token problem Hello, I am trying to use Keycloak v3.2 standalone (Final) as an OpenID Connect Identity Provider, with an instance of LemonLDAP::NG working as my OIDC Relying Party. The latter is already configured and works well with multiple OIDC Identity Providers, like Google or other LL::NG instances. When accessing the Keycloak token endpoint, the authentication fails with the following message : Token type is bearer but must be Bearer [perl:debug] CGI.pm(114): /usr/share/perl5/Lemonldap/NG/Portal/AuthOpenIDConnect.pm 133: [perl:error] Token response is not valid Do you know how to change the token type sent in the Keycloak configuration please ? From my understanding the OpenID Connect standard states that the Token type MUST be Bearer, so I suspect that I'm not the first who's had this problem. Best regards, Olivier NAPPERT