keycloak - CODE_TO_TOKEN_ERROR after user is authenticated

19
votes

I am working with the nodeJS keycloak adapter and so far have my client application redirecting to the keycloak login.

When attempting to login, I get an error in the keycloak logs as follows:

12:07:12,341 WARN [org.keycloak.events] (default task-30) type=CODE_TO_TOKEN_ERROR, realmId=myrealm, clientId=client-test, userId=xxx, ipAddress=xxx.xxx.xxx.xx, error=invalid_code, grant_type=authorization_code, code_id=xxx, client_auth_method=client-secret

The error message sent back to my express application reads as 'Could not obtain grant code'.

Can someone shed some light on what this means exactly? I can only think I have configured something incorrectly in my realm\client\user settings.

Thanks

3
openidkeycloak

3 Answers

12
votes

I've found the solution. It seems that if you follow this guide: https://www.ibm.com/developerworks/library/se-oauthjavapt3/index.html you will see that when you exchange the access code for the access token(/realms/{realm-name}/protocol/openid-connect/token) you need to add the same redirect_uri that you used when requesting the access code. It works for me now.

Hope it helps,

Adrian

4
votes

The redirect URL should be exactly similar. I was using the following redirect url to obtain the code http://example.com/frontend/ . And when obtaining the token I was using the following URL http://example.com/ Using the same URL for both the calls resolved the problem.

1
votes

This usually means the code sent back to Keycloak in order to exchange the code for tokens was invalid or got lost. First take a look at the log message of type=LOGIN for the user and make sure the code in that message matches the code_id on the login message matches the code_id on the CODE_TO_TOKEN_ERROR.