[HELP] Azure AD Identity Provider – “Unexpected error when authenticating” + “No access_token from server”

Getting advice
, ,
1

For some users, Keycloak fails to authenticate via Azure AD and displays the following error on screen:

:red_exclamation_mark: “Unexpected error when authenticating with identity provider”

In the logs, I see this stack trace:

org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.
	at org.keycloak.broker.oidc.OIDCIdentityProvider.verifyAccessToken(OIDCIdentityProvider.java:515)
	at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:360)
This only happens to some users, not all.

What I’ve checked so far

  • My Identity Provider settings in Keycloak use these scopes:
openid email profile
  • I confirmed that the affected users have a valid email and userPrincipalName in Azure.
  • The First Broker Login flow includes:
    • Review Profile (required)
    • Create user if unique (required)
    • Handle existing account (alternative)
    • Confirm link existing account (required)
    • Conditional OTP if user configured, etc.
  • I’ve also confirmed the Azure endpoints:
    • Authorization URL: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
    • Token URL: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token

My setup

  • Azure AD: Configured via OIDC as an Identity Provider
  • I have a registered app in Azure AD with:
  • Correct Redirect URI pointing to Keycloak
  • Required API permissions (openid, email, profile)
  • OIDC endpoints correctly set
  • Keycloak Identity Provider Settings:
  • Authorization URL:
    https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
  • Token URL:
    https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
  • Client ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  • Client Secret: value is correct

Observations

  • Most users authenticate without issues.
  • Affected users report being redirected back to Keycloak and then seeing the error immediately.
  • Sometimes, if the user retries 1 or 2 times, the login works.
  • The error only appears for some users – it’s not a global issue.
  • In my personal case, I was able to log in successfully all day, but the next morning, when I tried to reconnect (I had the site open in a pinned tab), I got the same “Unexpected error when authenticating” message. Refreshing the page fixed it temporarily, but when I tried logging in through an incognito window, the error occurred consistently without recovery.