[keycloak-user] Identity brokering - invalid request issue

[Yuriy Yunikov]

Hello,

I'm using identity brokering
<http://www.keycloak.org/docs/latest/server_admin/index.html#_identity_broker>
with Identity
Provider Redirector for browser sessions, so as of my understanding it
works this way (simplified):
1) User access application page;
2) It gets redirected to KeyCloak;
3) KeyCloak redirects to IDP login page;
4) User performs login, IDP redirects to KeyCloak;
5) KeyCloak grants a token;

Sometimes during this flow, users get "Invalid Request" error page.
Here are the logs:
2018-03-16 09:19:48,125 DEBUG
[org.keycloak.services.resources.IdentityBrokerService] (default task-1)
Invalid request. Authorization code, clientId or tabId was null.
Code=Ut8RrxKbNTPrAFcgxOEjx-r0n2-mUQW7, clientId=null, tabID=null
2018-03-16 09:19:48,129 WARN  [org.keycloak.events] (default task-1)
type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=test, clientId=null,
userId=null, ipAddress=182.190.32.17, error=invalidRequestMessage
2018-03-16 09:19:48,130 ERROR
[org.keycloak.services.resources.IdentityBrokerService] (default task-1)
invalidRequestMessage

Here is a line of code where it happens:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java#L989

The way I'm aware this can be reproduced is by accessing IDP login page
directly, this way step 1 and 2 are skipped and IDP doesn't know for which
client to perform grant a token, so clientId is null.

However there were cases when users were accessing application page and all
redirect flows happened as they should have. I know that this occurred
after 1-2 days of inactivity in browser, but I don't know how to reproduce
it.

Are there any ideas, suggestions how this "Invalid Request" problem can be
resolved?

Regards,
Yuriy