I am working with the nodeJS keycloak adapter and so far have my client application redirecting to the keycloak login.
When attempting to login, I get an error in the keycloak logs as follows:
12:07:12,341 WARN [org.keycloak.events] (default task-30) type=CODE_TO_TOKEN_ERROR, realmId=myrealm, clientId=client-test, userId=xxx, ipAddress=xxx.xxx.xxx.xx, error=invalid_code, grant_type=authorization_code, code_id=xxx, client_auth_method=client-secret
The error message sent back to my express application reads as 'Could not obtain grant code'.
Can someone shed some light on what this means exactly? I can only think I have configured something incorrectly in my realm\client\user settings.
Thanks
I've found the solution. It seems that if you follow this guide: https://www.ibm.com/developerworks/library/se-oauthjavapt3/index.html you will see that when you exchange the access code for the access token(/realms/{realm-name}/protocol/openid-connect/token) you need to add the same redirect_uri
that you used when requesting the access code. It works for me now.
Hope it helps,
Adrian
The redirect URL should be exactly similar. I was using the following redirect url to obtain the code http://example.com/frontend/
. And when obtaining the token I was using the following URL http://example.com/
Using the same URL for both the calls resolved the problem.
This usually means the code sent back to Keycloak in order to exchange the code for tokens was invalid or got lost. First take a look at the log message of type=LOGIN for the user and make sure the code in that message matches the code_id on the login message matches the code_id on the CODE_TO_TOKEN_ERROR.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With