KeyCloak redirecting back to Identity Provider after Authentication Code Flow error

3
votes

I am using KeyCloak as an OAuth2 authentication node for my application. But the real authentication and authorization occurs in a custom (Default) Identity Provider.

A happy flow succeeds with the Client Application (through the User) receiving a Authorization Code (to be used to acquire the Tokens).

But whenever my IdP (Identity Provider) returns an error, KeyCloak retries the process redirecting the User back to the IdP in a loop instead of delivering this error back to the Client Application.

Is there a configuration or parameter to correct this?

Identity Provider config Identity Provider configuration

Redirects:

  1. User redirected by Client Application to KeyCloak: https://keycloak/auth/realms/app/protocol/openid-connect/auth?client_id=1&response_type=code&redirect_uri=http://localhost:8100
  2. Internal keycloak redirects...
  3. User redirected by KeyCloak to My IdP: https://myidp/auth?scope=openid&state=SsjEd0IPdoG4EMPXwIPOtcTbxvrvZo3x9V2u6y3d3QE.J_i69mzjjS8.1&response_type=code&client_id=keycloak-client-id&redirect_uri=http%3A%2F%2Fkeycloak%2Fauth%2Frealms%2Fapp%2Fbroker%2Fmy-idp%2Fendpoint&uuid=123&nonce=5pe9y4dIpmPHghQbsZrhAA
  4. User redirected by My IdP to KeyCloak with Error: https://keycloak/auth/realms/app/broker/my-idp/endpoint?error_description=expired%20uuid&state=SsjEd0IPdoG4EMPXwIPOtcTbxvrvZo3x9V2u6y3d3QE.J_i69mzjjS8.1&error=invalid_request
  5. User redirected by KeyCloak again to My IdP (¬¬): https://myidp/auth?scope=openid&state=WINKLu_z9MDPwShk_mJE9ri7dxMgHN9xNoiTDskku90.J_i69mzjjS8.1&response_type=code&client_id=keycloak-client-id&redirect_uri=http%3A%2F%2Fkeycloak%2Fauth%2Frealms%2Fapp%2Fbroker%2Fmy-idp%2Fendpoint&uuid=123&nonce=0IcmhzImj9HpAudIk799hg

Trace from KeyCloak

15:03:31,045 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper
15:03:31,045 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false
15:03:31,045 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper  commit
15:03:31,045 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end
15:03:31,045 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1466/0x00000008414e4440
15:03:36,045 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper
15:03:36,049 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false
15:03:36,052 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper  commit
15:03:36,052 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end
15:03:36,052 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1466/0x00000008414e4440
15:03:41,045 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper
15:03:41,045 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false
15:03:41,045 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper  commit
15:03:41,046 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end
15:03:41,046 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1466/0x00000008414e4440
15:03:42,366 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) new JtaTransactionWrapper
15:03:42,366 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) was existing? false
15:03:42,367 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) realm by name cache hit: app
15:03:42,367 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: app
15:03:42,367 TRACE [org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint] (default task-115) Processing @GET request
15:03:42,367 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by name cache hit: 1
15:03:42,367 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,367 DEBUG [org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint] (default task-115) PKCE non-supporting Client
15:03:42,367 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) {1} cookie found in the requests header
15:03:42,367 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) {1} cookie found in the cookies field
15:03:42,367 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-115) Found AUTH_SESSION_ID cookie with value 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6.keycloak-0
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 DEBUG [org.keycloak.protocol.AuthorizationEndpointBase] (default task-115) Sent request to authz endpoint. Root authentication session with ID '7db70911-e7ce-41f9-9c43-f01ca4d3d9e6' exists. Client is '1' . Created new authentication session with tab ID: ekb7z3lW0c8
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,368 TRACE [org.keycloak.keys.DefaultKeyManager] (default task-115) Active key found: realm=app kid=8f2e9d61-d473-46b3-9b8f-fe95161b4eae algorithm=HS256 use=SIG
15:03:42,368 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-115) AUTHENTICATE
15:03:42,368 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-115) AUTHENTICATE ONLY
15:03:42,368 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,368 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,368 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) processFlow: browser
15:03:42,368 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) check execution: 'auth-cookie', requirement: 'ALTERNATIVE'
15:03:42,368 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) authenticator: auth-cookie
15:03:42,368 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-115) Going through the flow 'browser' for adding executions
15:03:42,368 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-115) Selections when trying execution 'auth-cookie' : [ authSelection - auth-cookie,  authSelection - identity-provider-redirector]
15:03:42,368 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) invoke authenticator.authenticate: auth-cookie
15:03:42,368 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) Couldnt find cookie {0}, trying {1}
15:03:42,368 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) Could not find cookie: KEYCLOAK_IDENTITY
15:03:42,368 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) authenticator ATTEMPTED: auth-cookie
15:03:42,368 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,368 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) check execution: 'identity-provider-redirector', requirement: 'ALTERNATIVE'
15:03:42,368 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) authenticator: identity-provider-redirector
15:03:42,368 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-115) Going through the flow 'browser' for adding executions
15:03:42,368 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-115) Selections when trying execution 'identity-provider-redirector' : [ authSelection - identity-provider-redirector]
15:03:42,368 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) invoke authenticator.authenticate: identity-provider-redirector
15:03:42,368 TRACE [org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator] (default task-115) Redirecting: default provider set to my-idp
15:03:42,368 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,368 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,368 DEBUG [org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator] (default task-115) Redirecting to my-idp
15:03:42,368 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,368 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,368 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper  commit
15:03:42,368 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper end


15:03:42,436 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) new JtaTransactionWrapper
15:03:42,436 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) was existing? false
15:03:42,436 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) realm by name cache hit: app
15:03:42,436 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: app
15:03:42,437 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-115) Sending authentication request to identity provider [my-idp].
15:03:42,437 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (default task-115) Will use client '1' in back-to-application link
15:03:42,437 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by name cache hit: 1
15:03:42,437 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,437 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) {1} cookie found in the requests header
15:03:42,437 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) {1} cookie found in the cookies field
15:03:42,437 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-115) Found AUTH_SESSION_ID cookie with value 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6.keycloak-0
15:03:42,437 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,437 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,437 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,437 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-115) Authorization code is valid.
15:03:42,437 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,437 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,440 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,440 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-115) Identity provider [org.keycloak.broker.oidc.OIDCIdentityProvider@530bbebe] is going to send a request [org.jboss.resteasy.specimpl.BuiltResponse@12aba942].
15:03:42,440 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper  commit
15:03:42,440 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper end
15:03:42,741 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) new JtaTransactionWrapper
15:03:42,741 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) was existing? false
15:03:42,741 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) realm by name cache hit: app
15:03:42,741 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: app
15:03:42,742 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-115) invalid_request for broker login oidc
15:03:42,742 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (default task-115) Will use client '1' in back-to-application link
15:03:42,742 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by name cache hit: 1
15:03:42,742 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,742 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) {1} cookie found in the requests header
15:03:42,742 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) {1} cookie found in the cookies field
15:03:42,742 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-115) Found AUTH_SESSION_ID cookie with value 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6.keycloak-0
15:03:42,742 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,742 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,742 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,742 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-115) Authorization code is valid.
15:03:42,742 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,742 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-115) AUTHENTICATE
15:03:42,742 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-115) AUTHENTICATE ONLY
15:03:42,742 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,742 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,742 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) processFlow: browser
15:03:42,742 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) check execution: 'auth-cookie', requirement: 'ALTERNATIVE'
15:03:42,742 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) execution 'auth-cookie' is processed
15:03:42,742 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) check execution: 'identity-provider-redirector', requirement: 'ALTERNATIVE'
15:03:42,742 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) authenticator: identity-provider-redirector
15:03:42,742 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-115) Going through the flow 'browser' for adding executions
15:03:42,742 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-115) Selections when trying execution 'identity-provider-redirector' : [ authSelection - identity-provider-redirector]
15:03:42,742 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) invoke authenticator.authenticate: identity-provider-redirector
15:03:42,742 TRACE [org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator] (default task-115) Redirecting: default provider set to my-idp
15:03:42,742 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,742 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,742 DEBUG [org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator] (default task-115) Redirecting to my-idp
15:03:42,742 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,742 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,743 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper  commit
15:03:42,743 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper end


15:03:42,802 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) new JtaTransactionWrapper
15:03:42,802 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) was existing? false
15:03:42,802 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) realm by name cache hit: app
15:03:42,802 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: app
15:03:42,802 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-115) Sending authentication request to identity provider [my-idp].
15:03:42,802 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (default task-115) Will use client '1' in back-to-application link
15:03:42,802 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by name cache hit: 1
15:03:42,802 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,802 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) {1} cookie found in the requests header
15:03:42,802 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) {1} cookie found in the cookies field
15:03:42,802 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-115) Found AUTH_SESSION_ID cookie with value 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6.keycloak-0
15:03:42,802 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,802 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,802 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,802 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-115) Authorization code is valid.
15:03:42,803 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,803 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,803 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,803 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-115) Identity provider [org.keycloak.broker.oidc.OIDCIdentityProvider@68b04511] is going to send a request [org.jboss.resteasy.specimpl.BuiltResponse@1f1ebc48].
15:03:42,803 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper  commit
15:03:42,803 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper end
1
oauth-2.0keycloak
Facing the same issue on keycloak 11.0.2. Sound like something is wrong in the browser flow, which should be abortedcghislai

1 Answers

0
votes

I identified the cause of my issue, unfortunately it looks different than yours. You should post your configured flows (browser flow, first login flow).

In my case, the id provider was returning an access_denied error which is interpreted differently than other errors: keycloak tries to display the login form where you can choose the provider; but in my browser flow this was disabled and I was forcing a redirect to the id provider.

In order to avoid the loop, it seems I have to either disable the 'Identity Provider Redirector' or configure it so that the user can choose which one.

This piece of code handles the error parameter in the oauth response: https://github.com/keycloak/keycloak/blob/66dfa32cd569a7416de21b4dc04db212e8fccce5/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java#L461

The issue is reported on redhat jira: https://issues.redhat.com/browse/KEYCLOAK-13274