When using Keycloak as an identiy broker, how can it be configured to receive encrypted identity tokens?

Question

I am trying to configure Keycloak as an Identity Broker between an OIDC Provider and another application. I was able to achieve successful user login when the ID Tokens were not encrypted.

I am trying to configure Keycloak to be able to accept encrypted ID Token. But when setting up an OIDC identity provider in Keycloak in "Identity Providers", there was no option to explicitly indicate that the ID Tokens would be encrypted, nor was there any option to indicate what key to use for decryption.

I have tried adding a self generated RSA key to "Realm Settings > Keys", and did configuration at the OIDC Provider end to use the public key for encryption. In the JWE representation of the encrypted ID Token, the JOSE header contains "RSA-OAEP-256" in the "alg", and "A256CBC-HS512" in the "enc". However, now with encryption enabled, RHSSO now throws the following exception when I try to login from the OIDC Provider:

ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-94) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: Invalid token

I have tested separately to confirm that the encrypted ID token has been generated properly. The OIDC provider that I have been using is this: https://github.com/panva/node-oidc-provider

Is there anything which I may have misconfigured?

Edit: Updated to indicate actions that I have tried

Answer 1

Decryption of brokered encrypted ID Tokens was only supported since Keycloak 22 released in July 11 2023.

See https://github.com/keycloak/keycloak/pull/21355.