invalid_grant User session not found on first IDP login of session

153 Views Asked by At

When using the latest bitnami/keycloak image with a native application (public client), I keep receiving a weird error when exchanging my authorization_code for a token: 400: invalid_grant, User session not found, but only on the first attempt before any sessions exist for the user.

First, I make a call to the auth endpoint with:

  • response_type=code
  • code_challenge_method=S256
  • scope=openid%20email
  • prompt=consent
  • redirect_uri=scheme://login
  • kc_idp_hint=google
  • code_challenge=<code challenge generated from RFC-compliant code verifier>
  • state=<guid>

Then, I try to exchange the received code for a token by calling the token endpoint (POST) with:

  • grant_type=authorization_code
  • client_id=<my client id>
  • code_verifier=<RFC-compliant code verifier used to generate the code_challenge>
  • code=<code>
  • redirect_uri=scheme://login

Oddly, if the user doesn't already have an active session, the token call returns a 400:

  "error_description":"User session not found"

If I look in Keycloak after the auth call completes, but before the token call, I can see that the session does in fact exist. In fact, if I start the whole process over now that the session exists, I suddenly get a 200, along with my tokens.

What am I missing?


There are 0 best solutions below