[keycloak-user] Login issue when using KeyCloak as an identity broker

[The, Andrew]

Hi,

I have configured KeyCloak as an Identity broker for OIDC use, and we are experiencing an issue when attempting to log in.  I would appreciate some help regarding this situation.

Here are the steps we are using to experience the issue:
1) Connect to the SP, who redirects the user to sign on with KeyCloak;
2) The KeyCloak login page is displayed;
3) Select that IdP configured in KeyCloak; KeyCloak redirects the user to the IdP login page;
4) Login on that page;  IdP redirects user to KeyCloak;
5) KeyCloak displays the "We're sorry ." page.

Here is the error message found in the logs:
12:15:24,530 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-15) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.
	at org.keycloak.broker.oidc.OIDCIdentityProvider.verifyAccessToken(OIDCIdentityProvider.java:444)
	at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:346)
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:399)
	at sun.reflect.GeneratedMethodAccessor828.invoke(Unknown Source)
<snip>

My understanding is that KeyCloak requests a 'response_type' of 'code' flow for communication with the IdP.  However when the IdP responds, KeyCloak appears to require a 'token' response.

The closest JIRA I found was https://issues.jboss.org/browse/KEYCLOAK-5441.

Thank you,
--
Andrew The | Director Consulting
Global delivery center - Saguenay | CGI
930, Jacques Cartier Est, 3rd floor, Chicoutimi (Québec) G7H 7K9
T: 877 696 6780 #1653251 | P: +1 418 696 6780 #1653251 | C: +1 418 540 4475
andrew.the at cgi.com
 
CONFIDENTIALITY NOTICE: Proprietary/Confidential Information belonging to CGI Group Inc. and its affiliates may be contained in this message. If you are not a recipient indicated or intended in this message (or responsible for delivery of this message to such person), or you think for any reason that this message may have been addressed to you in error, you may not use or copy or deliver this message to anyone else. In such case, you should destroy this message and are asked to notify the sender by reply e-mail.