keycloakopenid-connectopenid

Keycloak authorization_code invalid format


I have a local Keycloak server running with "Standard Authorization Code Flow".

I call the authorization endpoint with this url:

http://localhost:8080/realms/lapse/protocol/openid-connect/auth?client_id=lapse-app&redirect_uri=http://localhost:8080&response_type=code

After authenticating successfully, i correctly get redirected to:

http://localhost:8282?session_state=6c93f810-d934-4e20-adcc-b21748d3b26a&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Flapse&code=6cc168fc-e894-4f8b-a401-ec3267dc69b1.6c93f810-d934-4e20-adcc-b21748d3b26a.eec3a0c8-ff4a-437b-ad17-5f6228422b0f

Giving me the Authorization Token:

6cc168fc-e894-4f8b-a401-ec3267dc69b1.6c93f810-d934-4e20-adcc-b21748d3b26a.eec3a0c8-ff4a-437b-ad17-5f6228422b0f

A JWT is also added via Cookies (though I do not need it, but this suggest everything has worked correctly so far, I assume).

When I now send a request to the token endpoint, I get the error Code not valid when using these parameters:

{
    grant_type : authorization_code,
    code : 6cc168fc-e894-4f8b-a401-ec3267dc69b1.6c93f810-d934-4e20-adcc-b21748d3b26a.eec3a0c8-ff4a-437b-ad17-5f6228422b0f,
    redirect_uri : http://localhost:8282,
    client_id : lapse-app,
    client_secret : ZLpHFtQzoYdf21rIDwblZlZZ0bFntaD7
}

I do not understand why this happens. The Authorization Code I get from the redirect seems to be in a different format to what I have seen in examples, do I somehow have to reformat it before sending it to the token endpoint?


Solution

  • I spot a difference in your redirect_uris.

    You called the OpenID provider with port 8080

    ...&redirect_uri=http://localhost:8080&response_type=code
    

    After successful authentication you get redirected to port 8282

    http://localhost:8282?....
    

    and when you tried to perform the code-to-token you used the redirect_uri with port 8282

    http://localhost:8282
    

    Note, that you have to use the exact same redirect_uri when requesting authentiction, and performing code-to-token.