[keycloak-user] invalid_code error when using openidconnect.net to test auth code flow
David Erie (US)
David.Erie at datapath.com
Wed Oct 10 10:55:23 EDT 2018
Hi Ratna,
Thanks for helping. Here is an export of my client setup in Keycloak:
{
"id": "0ea6f92b-1157-4662-9752-9c502feaf74c",
"clientId": "oidc-playground",
"name": "OpenID Connect Playground",
"description": "Use with https://openidconnect.net to test",
"rootUrl": "https://openidconnect.net",
"baseUrl": "/callback",
"surrogateAuthRequired": false,
"enabled": true,
"clientAuthenticatorType": "client-secret",
"secret": "**********",
"redirectUris": [
"/callback"
],
"webOrigins": [
"*"
],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": true,
"publicClient": false,
"frontchannelLogout": false,
"protocol": "openid-connect",
"attributes": {
"saml.assertion.signature": "false",
"saml.force.post.binding": "false",
"saml.multivalued.roles": "false",
"saml.encrypt": "false",
"saml.server.signature": "false",
"saml.server.signature.keyinfo.ext": "false",
"exclude.session.state.from.auth.response": "false",
"saml_force_name_id_format": "false",
"saml.client.signature": "false",
"tls.client.certificate.bound.access.tokens": "false",
"saml.authnstatement": "false",
"display.on.consent.screen": "false",
"saml.onetimeuse.condition": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"protocolMappers": [
{
"id": "5bd43ddf-b7be-4147-bdac-bd1b8e1deacf",
"name": "Client IP Address",
"protocol": "openid-connect",
"protocolMapper": "oidc-usersessionmodel-note-mapper",
"consentRequired": false,
"config": {
"user.session.note": "clientAddress",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "clientAddress",
"jsonType.label": "String"
}
},
{
"id": "8880a28d-8a8c-4090-9192-faccff12bbb6",
"name": "Client ID",
"protocol": "openid-connect",
"protocolMapper": "oidc-usersessionmodel-note-mapper",
"consentRequired": false,
"config": {
"user.session.note": "clientId",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "clientId",
"jsonType.label": "String"
}
},
{
"id": "caf8a3cd-d16e-4484-9b75-ad5d8171bacc",
"name": "Client Host",
"protocol": "openid-connect",
"protocolMapper": "oidc-usersessionmodel-note-mapper",
"consentRequired": false,
"config": {
"user.session.note": "clientHost",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "clientHost",
"jsonType.label": "String"
}
}
],
"defaultClientScopes": [
"role_list",
"profile",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access"
]
}
And here is my setup on openidconnect.net:
{
"currentStep": 2,
"server": "custom",
"domain": "http://myserver:8447/auth/realms/myrealm/.well-known/openid-configuration",
"authEndpoint": "http://myserver:8447/auth/realms/myrealm/protocol/openid-connect/auth",
"tokenEndpoint": "http://myserver:8447/auth/realms/myrealm/protocol/openid-connect/token",
"scopes": "openid",
"stateToken": "fb366344d63b687945d9954771a3775ac5d2a81a",
"redirectURI": "https://openidconnect.net/callback",
"clientID": "oidc-playground",
"clientSecret": "19709e24-cac8-4ece-8b03-0a40e5c0c765",
"authCode": "eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0.._-2Ecj5Eu3nOnRbFoZazOQ.qZk8ZcqYv1oyuMQrlKbn85JQnR5c-XtbLXtXA6KtEiwW91SwxrBZryg5i7yktIW2c2tJUbKwGUsi7PXXMZN5XPHEWWLf732sEzZyf5_VjhbLRDL05fkoGxYXM3sHKSjZsLrADNgYNXJiQ57JlCKRe4jHTlxUMTXFYBaQQfv750-EmUqLMuEq7DCM8h6a7DTmHaehEL81cBDscKx3Yd9SVACFvqo6-QhovE3AXCU3et_BYWc7rAvJS-qfiPrAwK-b.4Yz5RZTeXoGqYAAQkS31Pg",
"idTokenHeader": "",
"configurationModalOpen": true,
"validated": false,
"exchangeResult": "",
"discoveryURL": "http://myserver:8447/auth/realms/myrealm/.well-known/openid-configuration",
"tokenKeysEndpoint": "",
"userInfoEndpoint": "https://samples.auth0.com/userinfo"
}
Thanks,
Dave
From: Ratna Kamireddy <ratna at qualica.com>
Sent: Wednesday, October 10, 2018 10:44 AM
To: David Erie (US) <David.Erie at datapath.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] invalid_code error when using openidconnect.net to test auth code flow
Well we got it working so I might help to sort out the issue. But more information would help to solve the problem like client setup etc
Regards
Ratna
On Wed, 10 Oct 2018 at 16:35, David Erie (US) <David.Erie at datapath.com<mailto:David.Erie at datapath.com>> wrote:
Hello,
I am using https://openidconnect.net to test out the authorization code flow on my Keycloak installation, but I am always getting this error in the log and no token in the response:
type=LOGIN_ERROR, realmId=myrealm, clientId=null, userId=null, ipAddress=..., error=invalid_code
Here's an example of the request:
POST http://myserver:8447/auth/realms/myrealm/protocol/openid-connect/token
grant_type=authorization_code
&client_id=oidc-playground
&client_secret=19709e24-cac8-4ece-8b03-0a40e5c0c765
&redirect_url=https://openidconnect.net/callback
&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..w7Pc9yB_htF5F2_cgqDtZA.Ru7B5B-MgYT6mbGy8ykT2dyFVPRSj11HvgJV6rrFownvVUjKYQ90FaiU17rCxpREWC-znDyhzsz4gV7thmz2okswrIUezzgCtzzRqiXo8EidSFZk51qrs1C7UiYklQjMdqyt0qcDRtuhv6eV8YE-t31l3eeuMmKKrT6ikGy_HazJpoOamGyKbGQBGqaJoi8-dNmTVORC7mVHcvX7IEECA0RaSY-gAoNEFPy4ViaGX0JvHGUjUByFsOrQHUea9Fgm.TZbp9Kkt8IEB_JrOALBCYg
Any help would be appreciated.
Thanks,
Dave
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list