keycloak - CODE_TO_TOKEN_ERROR after user is authenticated

Asked 24/8, 2017 at 11:21 Answered 13/2 at 21:0

I am working with the nodeJS keycloak adapter and so far have my client application redirecting to the keycloak login.

When attempting to login, I get an error in the keycloak logs as follows:

12:07:12,341 WARN [org.keycloak.events] (default task-30) type=CODE_TO_TOKEN_ERROR, realmId=myrealm, clientId=client-test, userId=xxx, ipAddress=xxx.xxx.xxx.xx, error=invalid_code, grant_type=authorization_code, code_id=xxx, client_auth_method=client-secret

The error message sent back to my express application reads as 'Could not obtain grant code'.

Can someone shed some light on what this means exactly? I can only think I have configured something incorrectly in my realm\client\user settings.

Thanks

Pyrogen answered 24/8, 2017 at 11:21 Comment(0)

I've found the solution. When you exchange the access code for the access token (/realms/{realm-name}/protocol/openid-connect/token) you need to add the same redirect_uri that you used when requesting the access code. It works for me now.

Replevin answered 18/1, 2018 at 7:24 Comment(6)

hi Adrian, could you please explain where to add redirect_uri? I am adding it as a query param to the url which I use to get access token but error stays the same. – Dissimilation 23/8, 2019 at 8:38

I've added it as a query param. Maybe that's working for you and something else causes your problem. – Replevin 3/9, 2019 at 10:18

@Pyrogen Can you please mark this answer as the desired one? Thank you. – Replevin 30/10, 2019 at 6:48

@AdrianMadaras The ibm link is sadly down! – Tetrasyllable 22/4 at 13:23

@Tetrasyllable just make sure to use the same 'redirect_uri' that you used when first authenticating. – Replevin 23/4 at 14:16

@AdrianMadaras You are right but please update your answer with the new link or simply remove it so that all the response content is relevant. – Tetrasyllable 23/4 at 15:17

I had this issue with a recent version of keycloak 23.0.5. The solution for me was to uncheck the client authentication in the Client configuration. If you do not do that keycloak expects to receive the client_secret in your Token request.

Uncheck client authentication

Bryophyte answered 13/2 at 21:0 Comment(1)

Thanks, saved me a lot of time ! This option is typicly meant for server side apps where you can safely use the client secret. – Clothes 12/3 at 10:14

The redirect URL should be exactly similar. I was using the following redirect url to obtain the code http://example.com/frontend/ . And when obtaining the token I was using the following URL http://example.com/ Using the same URL for both the calls resolved the problem.

Haver answered 16/9, 2019 at 14:28 Comment(0)

I came accross the same CODE_TO_TOKEN_ERROR after I added a new delegate idp to my keycloak config. That error is returned by Keycloak when some parameter in the body of the POST request to the token endpoint is wrong. In my case I investigated my parameters values and I realized a mere hash character (i.e. #) was mistakenly appended in my application to the value of that parameter called code. Removing that hash solved the bug.

In your case it could be an error in any of the parameters in the body of your POST request Parameters in the code authorization flow are the following: grant_type, client_id, client_secret, code, scope and redirect_uri. However, they can be different depending on the implemented flow.

Parameters like 'code' are received in the client app from the url of a redirect sent by Keycloak as a response to the code grant authorize request. There are slight differences sometimes in the syntax of the url. I realized that a hash character can be appended only in some cases to the end of the url. Url parsing needs to deal with all cases.

Succotash answered 18/9, 2021 at 21:13 Comment(1)

Could you share more information about your issue? In my case, I'm experiencing this exact same appended hash symbol. I'm making a .NET MAUI app and get this issue when interacting with Azure OIDC (also with Keycloak federation) – Kaiserdom 8/9, 2023 at 18:43

This usually means the code sent back to Keycloak in order to exchange the code for tokens was invalid or got lost. First take a look at the log message of type=LOGIN for the user and make sure the code in that message matches the code_id on the login message matches the code_id on the CODE_TO_TOKEN_ERROR.

Korten answered 28/11, 2017 at 19:39 Comment(0)

if you are using browser login then change the client Access Type from 'condifential' to 'public'. Condifential requires secret in request to initiate login protocol.

Borderline answered 13/1, 2022 at 16:46 Comment(3)

You will sacrifice security :-(. Each login case has own OIDC flow and nodejs server app shouldn't use public client. – Slavish 13/1, 2022 at 17:47

Is because I said "if you are using browser login". If you are using nuxt.js (which is node.js) you will need set the client access as public, because for frontend there is not private secrets. – Borderline 17/1, 2022 at 19:59

Had the same issue - I got the error above (with unauthorized_client code 2003) because the Client was set to confidential ([x] Client Authorization) but my public client (AppAuth library) did not send a client secret. Unchecking "Client Authorization" fixed it, thanks for the hint! – Supervene 24/5, 2023 at 8:53

Recommended topics

Hot tags