I’m trying to implement OIDC auth against a Keycloak identity provider in a .NetCore 8.0 MVC application. However, when I hit the challenge, I consistently get the error:

Cannot redirect to the authorization endpoint, the configuration may be missing or invalid.

Here is the configuration in program.cs

builder.Services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
    .AddCookie()
    .AddOpenIdConnect(options =>
    {
        options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        options.Authority = "https://mykeycloak.com/auth/realms/myrealm";
        options.ClientId = "my-app-clientid"; //public client so no secret needed
        //options.ClientSecret = "";
        options.CallbackPath = "/auth";
        options.RequireHttpsMetadata = true;
        options.MetadataAddress = "https://mykeycloak.com/auth/realms/myrealm/.well-known/openid-configuration";
        options.SaveTokens = true;
        options.GetClaimsFromUserInfoEndpoint = true;
        options.ResponseType = OpenIdConnectResponseType.Code;
    });

If I take the value from metadataaddress and throw it in the browser, I definitely get the odic configuration for keycloak — so it does seem to be valid. There is definitely a value for authorization_endpoint in the configuration and if I grab that value and throw it in the url of my browser (along with additional required parms) it definitely displays the Keycloak login.

It would appear that the OpenIdConnecHandler is somehow unable to either read or parse the configuration — but I have no idea why.

Is there something wrong with my configuration? Is there something special that has to be done when dealing with Keycloak?