@Jay: Hey, I’m trying to use Pomerium with Keyclock OIDC as the IDP but I’m getting this error whenever a user authenticates. I’ve tried searching but I can’t find anyone else who has solved this issue in the past so was wondering if you guys had any pointers for me.
Thanks in advance 
@Bobby: Hey Jay, thanks for reaching out. It looks like your surf provider (key cloak) is not responding with the id_token that’s required for open id connect based flows which pomerium relies on. I’m not very familiar with keycloak but I imagine it’s configuration there.
@Jay: Hey Bobby, thanks for taking a look. Will reach out to them. Have a good holiday!
Fixed it - needed to add the openid scope in the Pomerium config, I only had the email scope
