keycloak - CODE_TO_TOKEN_ERROR after user is authenticated

Question

I am working with the nodeJS keycloak adapter and so far have my client application redirecting to the keycloak login.

When attempting to login, I get an error in the keycloak logs as follows:

12:07:12,341 WARN [org.keycloak.events] (default task-30) type=CODE_TO_TOKEN_ERROR, realmId=myrealm, clientId=client-test, userId=xxx, ipAddress=xxx.xxx.xxx.xx, error=invalid_code, grant_type=authorization_code, code_id=xxx, client_auth_method=client-secret

The error message sent back to my express application reads as 'Could not obtain grant code'.

Can someone shed some light on what this means exactly? I can only think I have configured something incorrectly in my realm\client\user settings.

Thanks

Answer 1

I've found the solution. When you exchange the access code for the access token (/realms/{realm-name}/protocol/openid-connect/token) you need to add the same redirect_uri that you used when requesting the access code. It works for me now.

Answer 2

I had this issue with a recent version of keycloak 23.0.5. The solution for me was to uncheck the client authentication in the Client configuration. If you do not do that keycloak expects to receive the client_secret in your Token request.

Uncheck client authentication

Answer 3

if you are using browser login then change the client Access Type from 'condifential' to 'public'. Condifential requires secret in request to initiate login protocol.

Answer 4

I came accross the same CODE_TO_TOKEN_ERROR after I added a new delegate idp to my keycloak config. That error is returned by Keycloak when some parameter in the body of the POST request to the token endpoint is wrong. In my case I investigated my parameters values and I realized a mere hash character (i.e. #) was mistakenly appended in my application to the value of that parameter called code. Removing that hash solved the bug.

In your case it could be an error in any of the parameters in the body of your POST request Parameters in the code authorization flow are the following: grant_type, client_id, client_secret, code, scope and redirect_uri. However, they can be different depending on the implemented flow.

Parameters like 'code' are received in the client app from the url of a redirect sent by Keycloak as a response to the code grant authorize request. There are slight differences sometimes in the syntax of the url. I realized that a hash character can be appended only in some cases to the end of the url. Url parsing needs to deal with all cases.

Answer 5

The redirect URL should be exactly similar. I was using the following redirect url to obtain the code http://example.com/frontend/ . And when obtaining the token I was using the following URL http://example.com/ Using the same URL for both the calls resolved the problem.

Answer 6

This usually means the code sent back to Keycloak in order to exchange the code for tokens was invalid or got lost. First take a look at the log message of type=LOGIN for the user and make sure the code in that message matches the code_id on the login message matches the code_id on the CODE_TO_TOKEN_ERROR.