OIDC SSO with Keycloak (Cloud-IAM) - OAuthRedirectProcessor fails before token exchange on Australia

Hello,

I'm struggling to get OIDC SSO working between my ServiceNow Dev instance and Keycloak (Cloud-IAM). I've spent extensive time debugging and have narrowed down the root cause, but it appears to be inside the Java processor which I cannot debug further.

Environment:

• Instance: dev377216.service-now.com
• Version: Australia (Patch 1), Build: glide-australia-02-11-2026__patch1-03-23-2026
• IdP: Cloud-IAM (Keycloak) - lemur-16.cloud-iam.com, Realm: security-sso

Problem: After successful authentication on Keycloak, the callback to oauth_redirect.do results in:

"Your OAuth redirect failed. Please check if the redirect URL setup in your OAuth configuration matches your ServiceNow instance URL."

However, the redirect URL is NOT the problem. Here is what I have confirmed:

1. Keycloak LOGIN succeeds - Events log shows successful LOGIN, auth_method=openid-connect, Client=ServiceNow
2. No CODE_TO_TOKEN event - ServiceNow never sends the token exchange request to Keycloak
3. Manual token exchange works - Using sn_ws.RESTMessageV2 in Scripts - Background with a valid auth code returns Status 200 with valid access_token, id_token, and refresh_token
4. No outbound HTTP to /token endpoint - sys_outbound_http_log shows requests to .well-known/openid-configuration and /certs, but NO request to /token during SSO flow
5. State parameter is never consumed - multisso_request_parameter record remains consumed=0
6. OAuthUtilDebug trace - Created a custom script extending OAuthUtil and set it as OAuth API Script. Logs show:

DebugOIDC: initialized
DebugOIDC: preprocessAuthCode called

The interceptRequestParameters and parseTokenResponse methods are never called. The Java processor fails between preprocessAuthCode and the token exchange.

Configuration (all verified correct):

• Client ID: ServiceNow (matches both sides)
• Redirect URL: https://dev377216.service-now.com/oauth_redirect.do (matches both sides)
• OIDC Metadata URL: https://lemur-16.cloud-iam.com/auth/realms/security-sso/.well-known/openid-configuration (accessible, returns valid JSON)
• User Claim: preferred_username / User Field: User ID
• Test user testuser exists in both systems
• Grant Type: Authorization Code
• Multi-Provider SSO: Enabled
• com.snc.platform.security.oauth.is.active: true

Troubleshooting already done (18 items):

1. Verified redirect URL matches on both sides
2. Re-copied Client Secret from Keycloak
3. Verified user mapping (preferred_username → User ID)
4. Confirmed OIDC Metadata URL accessible (Status 200)
5. Confirmed manual token exchange succeeds (Status 200)
6. Toggled send_client_credentials_as between basic_auth_header and request_body_parameter
7. Changed default_grant_type to authorization_code
8. Changed token_format from opaque to jwt
9. Added openid scope to OAuth Entity Profile Scopes
10. Disabled JTI claim verification
11. Excluded iss and session_state from Keycloak auth response
12. Set glide.url.default
13. Enabled SSO debug logging
14. Tested in incognito / cleared cache
15. Deleted and recreated entire OIDC config from scratch
16. Verified com.snc.platform.security.oauth.is.active = true
17. Changed access and scope_restriction_status on oauth_entity
18. Created OAuthUtilDebug to trace processing flow

Possibly relevant: The legacy OAuth plugin com.snc.platform.security.oauth.legacy is active on this instance. Its description says "do not activate...use 'OAuth 2.0' instead". Could this be interfering with the OIDC callback?

Plugins active:

• com.snc.platform.security.oauth (OAuth 2.0) - Active
• com.snc.platform.security.oauth.legacy (OAuth 2.0 legacy) - Active
• com.snc.integration.sso.multi.installer (Multi-Provider SSO Installer) - Active
• com.snc.integration.sso.multi.ui (Multi-Provider SSO Enhanced UI) - Active

The detailed investigation report is attached as a Word document.

Has anyone experienced this issue on Australia release? Any help would be greatly appreciated.

Thank you.