I need some help getting SSO with Keycloak to work

Hi,
I followed all directions mentioned on https://extensions.xwiki.org/xwiki/bin/view/Extension/OpenID%20Connect/OpenID%20Connect%20Authenticator/
Trying to login I get redirected, I login and get redirected again.
But at that point I get an error 500.
I really have no clue why this happens. Any and all hints are highly appreciated.

Regards,
Jeroen Baten

# HTTP Status 500 – Internal Server Error

**Type** Exception Report

**Message** Failed to handle Resource Reference [path = authenticator/callback, endpoint = authenticator, pathSegments = [callback]]

**Description** The server encountered an unexpected condition that prevented it from fulfilling the request.

**Exception**

javax.servlet.ServletException: Failed to handle Resource Reference [path = authenticator/callback, endpoint = authenticator, pathSegments = [callback]] org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.handleResourceReference(ResourceReferenceHandlerServlet.java:161) org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.service(ResourceReferenceHandlerServlet.java:87) javax.servlet.http.HttpServlet.service(HttpServlet.java:741) org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63) org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:145)

**Root Cause**

org.xwiki.resource.ResourceReferenceHandlerException: Failed to handle http servlet request org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:110) org.xwiki.resource.internal.DefaultResourceReferenceHandlerChain.handleNext(DefaultResourceReferenceHandlerChain.java:79) org.xwiki.resource.internal.AbstractResourceReferenceHandlerManager.handle(AbstractResourceReferenceHandlerManager.java:82) org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.handleResourceReference(ResourceReferenceHandlerServlet.java:159) org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.service(ResourceReferenceHandlerServlet.java:87) javax.servlet.http.HttpServlet.service(HttpServlet.java:741) org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63) org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:145)

**Root Cause**

org.xwiki.contrib.oidc.provider.internal.OIDCException: Invalid state [lcbIgOZRlfTeT9lFWDFfdSCcPS-MDnXBhlUPpmE3po0] org.xwiki.contrib.oidc.auth.internal.endpoint.CallbackOIDCEndpoint.handle(CallbackOIDCEndpoint.java:110) org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:134) org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:108) org.xwiki.resource.internal.DefaultResourceReferenceHandlerChain.handleNext(DefaultResourceReferenceHandlerChain.java:79) org.xwiki.resource.internal.AbstractResourceReferenceHandlerManager.handle(AbstractResourceReferenceHandlerManager.java:82) org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.handleResourceReference(ResourceReferenceHandlerServlet.java:159) org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.service(ResourceReferenceHandlerServlet.java:87) javax.servlet.http.HttpServlet.service(HttpServlet.java:741) org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63) org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:145)

**Note** The full stack trace of the root cause is available in the server logs.

In the end it was, of course, a PEBCAK and an SSL config challenge.

Used mkcert from github to make certs.

After that, a bug in ansible playbook gave me an empty client-secret in xwiki.properties.