Note that this does not really make any sense from OIDC point of view, that's not what an access token is for (its main point is to be sent with the userinfo request).
I agree but that's how Keycloak configured its "microprofile-jwt".
In any case, the authenticator is not storing the access token or the id token (it just keep them in the session, so the size is not really a problem in any way).
So then my assumption is clearly wrong. In the end to get to the bottom of it I downloaded eclipse and the source code to remote debug directly on XWiki to understand the problem. It turns out it is Nginx (reverse proxy) that is refusing the connection, that's why Keycloak was not logging any activity.
Error: 400 Request Header Or Cookie Too Large
So sorry for the confusion, the access token is problematic when it is too large but that was entirely on the Keycloak side of it as you pointed out.
This message was sent by Atlassian Jira (v9.3.0#930000-sha1:287aeb6)
If image attachments aren't displayed, see this article.
