keycloak Provider authenticates but user doesn't get logged in, when deployed to Vercel

[MarkLyck]

The keycloak provider works great on localhost:3000. I'm able to sign in using either server component or client component following the instructions on https://authjs.dev/getting-started/installation

However as soon as I deploy it on Vercel to either preview or production environments. It authenticates with keycloak, and redirects to e.g. /api/auth/callback/keycloak?session_state=9f32c32e-a248-47f3-b842-80359e39b3fb&iss=https%3A%2F%2Fsso.x.com%2Fauth%2Frealms%2Fx&code=xxx

But the session never gets updated to say the user is logged in like it does on localhost:3000. The route also stays on /api/auth/callback/keycloak forever. Whereas localhost:3000 sends me back to /

These are the env variables I configured on Vercel.

AUTH_SECRET=xxxxxxxxxxxxxxx
AUTH_TRUST_HOST=true

KEYCLOAK_ID=frontend-standard-flow-app
KEYCLOAK_SECRET=undefined
KEYCLOAK_ISSUER=https://sso.x.com/auth/realms/x

The clientSecret is intentionally set to a string value of "undefined", since I have client authorization and client authentication turned off on my keycloak client and there is no client secret. I have seen multiple issues about this, that say it can safely be set to a dummy value since next-auth requires it?

on the keycloak side of things, my URLs are set in Valid redirect URIs.

When clicking a signIn button, it does also redirect me to the keycloak login page with my theme set for the client. And when I finish login I can see my session added successfully in client sessions.

So it looks like everything is working from Keycloak's side of things. The login was succesful.

When checking the vercel server logs with debug enabled I see the following debug logs:

�[90m[auth][debug]:�[0m CREATE_PKCECODEVERIFIER { "value": "xxx", "maxAge": 900 }

�[90m[auth][debug]:�[0m authorization url is ready {
  "url": "https://sso.x.com/auth/realms/x/protocol/openid-connect/auth?response_type=code&client_id=frontend-standard-flow-app&redirect_uri=https%3A%2F%2Fx.vercel.app%2Fapi%2Fauth%2Fcallback%2Fkeycloak&code_challenge=xxxx&code_challenge_method=S256&scope=openid+profile+email",
  "cookies": [
    {
      "name": "__Secure-authjs.pkce.code_verifier",
      "value": "xxxx",
      "options": {
        "httpOnly": true,
        "sameSite": "lax",
        "path": "/",
        "secure": true,
        "maxAge": 900,
        "expires": "2024-06-23T04:05:07.630Z"
      }
    }
  ],
  "provider": {
    "id": "keycloak",
    "name": "Keycloak",
    "type": "oidc",
    "style": {
      "brandColor": "#428bca"
    },
    "clientId": "frontend-standard-flow-app",
    "clientSecret": "undefined",
    "issuer": "https://sso.x.com/auth/realms/x",
    "signinUrl": "https://xvercel.app/api/auth/signin/keycloak",
    "callbackUrl": "https://x.vercel.app/api/auth/callback/keycloak",
    "wellKnown": "https://sso.x.com/auth/realms/x/.well-known/openid-configuration",
    "checks": [
      "pkce"
    ]
  }
}

(redacted sensitive info)

When logging in on localhost I would get 1 more debug log called authorization result. However this never gets logged when it's deployed to Vercel.

I'm using Next@15 and next-auth@5 (beta)

I've tested localhost both using dev mode, and built a production build, which both work fine.

Thanks in advance for any help debugging why my login attempts are unsuccessful when deployed.