I'm trying to get token from keycloak using pkce with authorization_code flow without success.
Request parameters (from postman):
curl -X POST \
http://keycloak-ar.uat.com/auth/realms/myrealm/protocol/openid-connect/token \
-H 'Accept: */*' \
-H 'Accept-Encoding: gzip, deflate' \
-H 'Authorization: Basic YWJyYWFvLxF1ZWlyb3o6MTIz' \
-H 'Cache-Control: no-cache' \
-H 'Connection: keep-alive' \
-H 'Content-Length: 172' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Host: keycloak-ar.uat.com' \
-d 'grant_type=authorization_code&client_id=spring-boot-app&username=apiuser&client_secret=cd78e82a-e86a-4bf3-a3d7-7c01cec49396&code=qjrzSW9gMiUgpUvqgEPE4_-8swvyCtfOVvg55o5S_es'
Keycloak log:
22:50:01,962 WARN [org.keycloak.events] (default task-146) type=CODE_TO_TOKEN_ERROR, realmId=myrealm, clientId=spring-boot-app, userId=null, ipAddress=10.128.2.1, error=invalid_code, grant_type=authorization_code, client_auth_method=client-secret
Cannot comment, so adding as an answer.
-d 'grant_type=authorization_code&client_id=spring-boot-app&username=apiuser&client_secret=cd78e82a-e86a-4bf3-a3d7-7c01cec49396&code=qjrzSW9gMiUgpUvqgEPE4_-8swvyCtfOVvg55o5S_es'
A couple of things:
1) client_secret is optional
2) redirect_uri is missing. It is REQUIRED, and must be exactly as the one used while making request for authorization code.
About username, it is definitely not needed, but cannot say if it's presence will cause issues. Better to remove it.