I am new to keycloak setup hence need your help. Please let me know if you need more information.
My web app returns invalid login when valid credentials are entered. Further look into my keycloak pod logs, i can the below error...
The keycloak version: 10.0.2
[org.keycloak.events] (default task-211) type=LOGOUT_ERROR, realmId=qa-vanguard, clientId=qa-client, userId=null, ipAddress=x.x.x.x, error=invalid_token, client_auth_method=client-secret
Any pointers on how to further debug the problem.
-Raman
Related
I am running keycloak 19.0.2 in dev mode. When trying to login to microsoft from keycloak (SSO) using the oauth2 flow, I get 502 error in the browser on the callback to keycloak. The code param has a strange value also.
I believe it has something to do with user permissions, but I can clearly see I have defined them.
The callback to the keycloak server throws a 502 error and has strange values in the code params.
The keycloak server errors with the following logs:
2022-10-17 13:08:46,517 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (executor-thread-42)
Failed to make identity provider oauth callback:
org.keycloak.broker.provider.IdentityBrokerException: Could not obtain user profile
from Microsoft Graph
2022-10-17 13:08:46,542 WARN [org.keycloak.events] (executor-thread-42)
type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=8ca06b23-d544-4464-a3bf-448be5308802,
clientId=recruit-api, userId=null, ipAddress=127.0.0.1,
error=identity_provider_login_failure, code_id=62aaf7bf-9c08-4c88-a7c3-e6f7af282de1,
authSessionParentId=62aaf7bf-9c08-4c88-a7c3-e6f7af282de1,
authSessionTabId=WjArYJ99WyM
I have two Keycloak instances, A is an IdP for B. From the login screen of B, this works as it should.
However, I can’t get IDP Initiated SSO from A to B to work. I filled the "IDP Initiated SSO URL Name” field with a name (say “bbbbb”) in A.
When I try to navigate to: http://aaaaa/auth/realms/his/protocol/saml/clients/bbbbb
I always end up with the following logging:
22:42:02,993 DEBUG [org.keycloak.services] (default task-23) Authorization code is not valid. Code: null
22:42:02,994 WARN [org.keycloak.events] (default task-23) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=127.0.0.1, error=staleCodeMessage
22:42:02,994 ERROR [org.keycloak.services] (default task-23) staleCodeMessage
Which in itself is not surprising, because indeed, there is no Authorization code in play here, but that’s the whole idea of IDP Initiated SSO, no?
What must I do to get this to work?
Thanks in advance!
I faced the same issue, this happens if you use the same realm name in both Keycloak instances.
We are trying to integrate KeyCloak and external IDP using SAML protocol.
After the Keycloak and saml configuration, we tried to test. Keycloak is able to initiate a call to IDP and IDP is returning successful SAML response with requested nameId. But, Keycloak is throwing invalid destination error. Can anyone please help here?
19:13:30,964 WARN [org.keycloak.events] (default task-2) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=XXX, clientId=null, userId=null, ipAddress=XXXX, error=invalid_saml_response, reason=invalid_destination
I'm trying to hit keycloak installed in docker container behind an nginx server. That's passing it with proxy_pass.
The query is http://example.compute.amazonaws.com/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=http%3A%2F%2Fec2-<ip>.eu-west-2.compute.amazonaws.com%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=a4b04d6b-b490-41ef-8974-f99cf210129d&response_mode=fragment&response_type=code&scope=openid&nonce=9f67c39b-2312-48cd-980f-ca08f265504d
However when I want to go through to the admin console I get a screen with "Missing parameters: client_id".
Anyone have any ideas? Logging locations etc, any assistance would be incredible.
Update:
What is logged on that request is only:
10:57:26,916 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=<anotherip>, error=invalid_request
The fault was with the NGINX config that was stripping the URL params off.
Solution was to add $is_args$args to the proxy_pass url.
I am trying to test "forgot password" link in Keycloak. I get the email but when I click on the link in the email, I see error on UI as Invalid Request
In the server log, I see this
13:51:03,602 WARN [org.keycloak.events] (default task-36)
type=EXECUTE_ACTION_TOKEN_ERROR, realmId=fidesque, clientId=null,
userId=null, ipAddress=127.0.0.1, error=invalid_code, reason='Failed
to parse JWT'
Any clue what I may be missing ?
regards,
Venky
The error is gone after updating to latest version of Keycloak i.e 4.7.0