4

I'm trying to get token from keycloak using pkce with authorization_code flow without success.

Request parameters (from postman):

curl -X POST \
  http://keycloak-ar.uat.com/auth/realms/myrealm/protocol/openid-connect/token \
  -H 'Accept: */*' \
  -H 'Accept-Encoding: gzip, deflate' \
  -H 'Authorization: Basic YWJyYWFvLxF1ZWlyb3o6MTIz' \
  -H 'Cache-Control: no-cache' \
  -H 'Connection: keep-alive' \
  -H 'Content-Length: 172' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'Host: keycloak-ar.uat.com' \
  -d 'grant_type=authorization_code&client_id=spring-boot-app&username=apiuser&client_secret=cd78e82a-e86a-4bf3-a3d7-7c01cec49396&code=qjrzSW9gMiUgpUvqgEPE4_-8swvyCtfOVvg55o5S_es'

Keycloak log:

22:50:01,962 WARN  [org.keycloak.events] (default task-146) type=CODE_TO_TOKEN_ERROR, realmId=myrealm, clientId=spring-boot-app, userId=null, ipAddress=10.128.2.1, error=invalid_code, grant_type=authorization_code, client_auth_method=client-secret
Jonas
  • 121,568
  • 97
  • 310
  • 388
Braian
  • 185
  • 1
  • 2
  • 8

1 Answers1

5

Cannot comment, so adding as an answer.

-d 'grant_type=authorization_code&client_id=spring-boot-app&username=apiuser&client_secret=cd78e82a-e86a-4bf3-a3d7-7c01cec49396&code=qjrzSW9gMiUgpUvqgEPE4_-8swvyCtfOVvg55o5S_es'

A couple of things:
1) client_secret is optional
2) redirect_uri is missing. It is REQUIRED, and must be exactly as the one used while making request for authorization code.

About username, it is definitely not needed, but cannot say if it's presence will cause issues. Better to remove it.

adarsh
  • 1,393
  • 1
  • 8
  • 16
  • Thanks. Do you have any example with java/spring-boot using this flow? – Braian Oct 23 '19 at 18:27
  • Yes, have a look at [this](https://github.com/git-adarsh/config-idp-keycloak/tree/master/java/com/auth/ms/services). It has the discussed flow. – adarsh Oct 24 '19 at 03:42