[keycloak-user] invalid_code when redirecting back from identity provider

Scheinmann, Jonathan jonathan.scheinmann at dxc.com
Mon Sep 11 04:26:37 EDT 2017


When setting up a second keycloak as identity provider I am forwarded correctly to the identity provider and back to the initial keycloak instance. So far so good, but as soon as I am forwarded back to the initial instance I receive an error page with the following log entry:

06:42:40,715 WARN [org.keycloak.events] (default task-25) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=<myrealm>, clientId=null, userId=null, ipAddress=<my ip>, error=invalid_code

It is not really clear what the error is in this case. It seems that the second keycloak instance (the id. provider) generates a wrong authorization code, which is not accepted by the first keycloak instance. But as a user I do not really see how I could change that behaviour. It is not really clear what to do with this error. What ever is causing this error (which is obviously just a warning?) it has to be clearer.

I attached the screenshots of the first keycloak instance id. provider configuration and the client configuration in the second keycloak instance.

When using direct grant for the identity provider instance I can successfully fetch an access token. It is therefore no authorization issue itself (as I was successfully authenticated) but maybe rather related to the generation or parsing of the authorization code.



Environment:



Official docker image jboss/keycloak 3.3.0.CR1 for both instances

Steps to reproduce:

1.setup 2 keycloak instances whereas one instance acts as identity provider (with the options set similar to the screenshots attached)
1.1 Use /auth/realms/myrealm/.well-known/openid-configuration to export the client config of the identity provider to import it as identity provider configuration
2. create a user in the identity provider instance
3. call /auth/realms/<myrealm>/protocol/openid-connect/auth?client_id=token-exchange&login=true&redirect_uri=<redirect-uri>&response_type=token&nonce=123 in the first keycloak instance and click on the identity provider button.
4. login with the user created









More information about the keycloak-user mailing list