OpenID with PingFederate: Not synchronizing provider config for issuer

Has anyone configured Sync Gateway’s OpenID Connect against an internal PingFederate server? I’m using a decently out the box configuration on the Sync Gateway side, but am running into an error that makes it sound like Sync Gateway is doing something that PingFederate didn’t expect.

Here’s my Sync Gateway config:

"coolbucket": {
  "server": "http://couchbaseserver:8091",
  "bucket": "coolbucket",
  "oidc": {
    "providers": {
      "pingfederate": {
        "issuer":"https://internal.pingfederate.com",
        "client_id":"openid_client",
        "validation_key":"0a2b3c",
        "callback_url": "https://nginx.hostname.com/sync_gateway/coolbucket/_oidc_callback",
        "register":true
      }
    }
  }
},

Basically, we have NGINX load balancing in front of Sync Gateway, so I had to change the callback url to route PingFederate back to the proper endpoint. After authenticating against PingFederate and being routed back, though, I’m getting a 401 with this message:

{"error":"Unauthorized","reason":"OpenID Connect error: The client MUST NOT use more than one authentication method in each request. (invalid_client)"}

The Sync Gateway logs give me:

HTTP:  #001: GET /pgeemployees/_oidc
OIDC: Getting provider for name
OIDC: Not synchronizing provider config for issuer https://internal.pingfederate.com...
HTTP+: #001:     --> 200   (75.9 ms)
HTTP:  #002: GET /coolbucket/_oidc_callback?code=******&state=
HTTP: #002:     --> 401 OpenID Connect error: The client MUST NOT use more than one authentication method in each request. (invalid_client)  (6.5 ms)

The OIDC log for “not synchronizing provider config” is concerning, but not sure what to do about it.

HOWEVER, if I take the authorization code that I received after authenticating with PingFederate and make the token request using Postman, I can get a 200 response with the token.

So that makes me think Sync Gateway is making the final token request in a way that PingFederate isn’t expecting. Any ideas? I have access to the PingFederate logs as well, but they don’t say anything that we haven’t already seen here.

Thanks!