Keycloak error : Code not valid - for client token request

Question

Few days Ago I have integrate keycloak with my php application. Which working fine. Now I am trying to do same thing for my vue js app.

In 2nd step (for client token request using authorization code) I am getting 400 error. Response Message "Code not valid".

1st step : (inside mounted )

const AUTHORIZE_URL = 'auth/realms/rstore/protocol/openid-connect/auth';

const params = {
    'response_type': 'code',
    'redirect_uri': 'http://localhost:8080/sso/callback',
    'client_id': client_id, 
    'nonce': uuid(),
    'state': uuid(),
    'scope': 'openid profile email'
};

window.location = baseUrl + AUTHORIZE_URL + '?' + queryString.stringify(params);

2nd step : (For client token request)

let url = baseUrl + ACCESS_TOKEN_URL;

let params = {
    'grant_type': 'authorization_code',
    'code': code,
    'redirect_uri': 'http://localhost:8080/sso/callback',
    'client_id': client_id,
    'client_secret': client_secret
};

let result = fetch(url, {
    method: 'POST',
    body: queryString.stringify(params),
    headers: {
        'Content-Type': 'application/x-www-form-urlencoded' // ,
    }
})
.then(resp => {
    return resp.json();
})
.catch(error => {
    throw new Error('FetchError in request to ES: ' + error.toString())
})

I also tried from command prompt --->

curl -X POST 'https://example.com/auth/realms/nstore/protocol/openid-connect/token' \
 --header 'Content-Type: application/x-www-form-urlencoded' \
 --data-urlencode 'grant_type=authorization_code' \
 --data-urlencode 'code=095516b7-e545-4b02-9dad-ec9c6366e0e4.33e1f298-a440-4bdc-9118-96ed669cabcd.e1c5d85f-3441-490d-a1fd-eb3b00d3c47c' \
 --data-urlencode 'client_id=vue' \
 --data-urlencode 'client_secret=b329ade3-2b71-4e3b-ab25-926cb32c5c8c' \
 --data-urlencode 'redirect_uri=http://localhost:8080/sso/callback'

output same ---> {"error":"invalid_grant","error_description":"Code not valid"}

Answer 1

The "Code not valid" error message is a general one. It may have one of the following meanings: http://localhost:8080/auth/realms/{realm_name}/protocol/openid-connect/auth

1. code is not valid, or is valid but incorrently URL encoded
2. the code is correct, but it has been already used by other user session

Each authorization code can be used only once, to generate single new access token. As such, generating multiple access tokens from one code is not possible. One reason why you may be receiving this error is because authorization code was already used, either by Postman or by web application.

Solution : regenerate the client_secret in the keycloak server for your realm and then do the complete process again and you will get the accesstoken and referesh token.

Note : Each authorization code can be used only once, to generate single new access token. As such, generating multiple access tokens from one code is not possible.