Issue with Keycloak and OidcClient in C# - IdentityToken is null

Question

I’m using Keycloak for authentication in my C# application. I’m using the OidcClient library to handle the authentication process. However, I’m encountering an issue: after a successful login, the IdentityToken is null while the AccessToken is valid.

Here’s a snippet of my code:

var result = await _oidcClient.LoginAsync(new LoginRequest());
if (result == null || result.IsError)
{
    _logger.LogError($"Error in connection: {result?.Error ?? "No error"}");
}
result.AccessToken; // OK
result.IdentityToken; //Null

For this call scope : openid offline_access And my client in keycloak is OpenIdConnect

The connection works in itself, but I need the IdentityToken for the logout.

Has anyone encountered this issue before? Any help would be greatly appreciated.

Thank you in advance!

I’ve searched for answers, but everything that came close to a response was too old and did not correspond to the latest version of Keycloak. (need to 22.0.3)

Edit : Config in my dev

{

 "clientId": "appclient",

 "name": "App ClientId",

 "description": "",

 "rootUrl": "",

 "adminUrl": "",

 "baseUrl": "",

 "surrogateAuthRequired": false,

 "enabled": true,

 "alwaysDisplayInConsole": false,

 "clientAuthenticatorType": "client-secret",

 "redirectUris": [

   "app://authcallback/*"

 ],

 "webOrigins": [],

 "notBefore": 0,

 "bearerOnly": false,

 "consentRequired": false,

 "standardFlowEnabled": true,

 "implicitFlowEnabled": false,

 "directAccessGrantsEnabled": true,

 "serviceAccountsEnabled": false,

 "publicClient": true,

 "frontchannelLogout": true,

 "protocol": "openid-connect",

 "attributes": {

   "client.secret.creation.time": "1697036807",

   "post.logout.redirect.uris": "app://authcallback/*",

   "oauth2.device.authorization.grant.enabled": "true",

   "backchannel.logout.revoke.offline.tokens": "true",

   "use.refresh.tokens": "true",

   "oidc.ciba.grant.enabled": "false",

   "backchannel.logout.session.required": "true",

   "client_credentials.use_refresh_token": "false",

   "acr.loa.map": "{}",

   "require.pushed.authorization.requests": "false",

   "tls.client.certificate.bound.access.tokens": "false",

   "display.on.consent.screen": "false",

   "token.response.type.bearer.lower-case": "false"

 },

 "authenticationFlowBindingOverrides": {},

 "fullScopeAllowed": true,

 "nodeReRegistrationTimeout": -1,

 "protocolMappers": [

   {

     "name": "Client IP Address",

     "protocol": "openid-connect",

     "protocolMapper": "oidc-usersessionmodel-note-mapper",

     "consentRequired": false,

     "config": {

       "user.session.note": "clientAddress",

       "id.token.claim": "true",

       "access.token.claim": "true",

       "claim.name": "clientAddress",

       "jsonType.label": "String"

     }

   },

   {

     "name": "Client ID",

     "protocol": "openid-connect",

     "protocolMapper": "oidc-usersessionmodel-note-mapper",

     "consentRequired": false,

     "config": {

       "user.session.note": "client_id",

       "id.token.claim": "true",

       "access.token.claim": "true",

       "claim.name": "client_id",

       "jsonType.label": "String"

     }

   },

   {

     "name": "Client Host",

     "protocol": "openid-connect",

     "protocolMapper": "oidc-usersessionmodel-note-mapper",

     "consentRequired": false,

     "config": {

       "user.session.note": "clientHost",

       "id.token.claim": "true",

       "access.token.claim": "true",

       "claim.name": "clientHost",

       "jsonType.label": "String"

     }

   }

 ],

 "defaultClientScopes": [

   "web-origins",

   "acr",

   "openid",

   "roles",

   "profile",

   "user"

 ],

 "optionalClientScopes": [

   "address",

   "phone",

   "offline_access",

   "microprofile-jwt",

   "email"

 ],

 "access": {

   "view": true,

   "configure": true,

   "manage": true

 }

}```