Certificate errors using an internal identity provider from one realm to another in Keycloak

Question

Overview

Following the answer of another Keycloak identity provider thread, I have two realms setup to keep users separate. The external realm contains a Keycloak OpenID Connect identity provider to the internal realm. Within the external realm there is a client configured which allows my application to validate users through a client adapter.

I am using Keycloak version 18.0.0.

Configuration

Any setting not specified is OFF, not set (blank entry), or the default.

The identity provider configured in the external realm has the following settings:

• Enabled: true
• Store Tokens: ON
• Trust Email: ON
• First Login Flow: first broker login
• Sync Mode: force
• ODIC settings:
  • Auth URL, Token URL, Logout URL, and User Info URL all set to the the matching internal realm client
  • Client Authentication: Client secret sent as basic auth
  • Client Secret set to matching client secret
  • Issuer set to internal realm URL. Ex: https://<hostname>/auth/realms/<internalRealmName>
  • Default Scopes: openid
  • Prompt: unspecified
  • Validate Signatures: ON
  • Use JWKS URL: ON, JWKS URL set to matching internal realm cert location. EX: https://<hostname>/auth/realms/<internalRealmName>/protocol/openid-connect/certs
  • Use PKCE: ON
  • PKCE Method: S256

The client configured in the internal realm has the following settings:

• Enabled: true
• Client Protocol: openid-connect
• Access Type: confidential
• Standard Flow Enabled: ON
• Valid Redirect URIs: https://<hostname>/auth/realms/<externalRealmName>/broker/<internalRealmName>/endpoint
• Backchannel Logout Session Required: ON
• Credentials
  • Client Authenticator: Client Id and Secret
  • Secret copied over and set in the external realm identity provider configuration

Problem

Users that exist in the external realm can login, as well as users that are configured to login through another separate external ODIC identity provider (This is not the identity provider to the internal realm, just an example that the identity provider login flow is working).

Users that attempt to login via the identity provider to the internal realm cannot login. The login page displays Unexpected error when authenticating with identity provider.

Checking the Keycloak logs, I see the following error:

WARN  [org.keycloak.events] (default task-405) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=<externalRealmName>, clientId=<externalRealmClientName>, userId=null, ipAddress=<removed>, error=identity_provider_login_failure, code_id=258c44bd-88fc-44a1-b93c-18225b00df49

ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-405) Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Request for help

Why would Keycloak be failing to validate the certificate when using this identity provider? It is able to authenticate successfully using the SSL setup for the external realm as well as another identity provider for an external connection. I can't figure out where the Keycloak certification failure is really happening.