Search code examples
javascriptnode.jsoauth-2.0keycloakkeycloak-nodejs-connect

Keycloak "Unexpected error when handling authentication request to identity provider" when trying to invoke AIA

An otherwise working as expected Keycloak Server is giving me a headache since I started to try and implement Application Initiated Actions.

Prior Search

Because looking for the topic results in a sparse selection of hands-on material, I got to go through the design document for AIA, especially the flows section.

Environment

  • Keycloak 15
    • PostgreSQL Database Backend
    • Keycloak as k8s deployment
    • Client in use has temporary full scope for development purposes
  • Node.JS backend with keycloak-connect and express as the Server

What I've tried

According to the design document (Here is an entry to google groups where it's said that the feature "pretty much turned out as designed") flows should be constructed as

../realms/myrealm/protocol/openid-connect/auth
    ?response_type=code
    &client_id=myclient
    &redirect_uri=https://myclient.com
    &kc_action=update_profile

which resulted in this code in my templating engine:

`${keycloak.config.realmUrl}/protocol/openid-connect/auth?response_type=code&client_id=${keycloak.config.clientId}&redirect_uri=${new URLSearchParams("http://localhost:3000/account").toString()}&kc_action=update_profile`

(pug variable) keycloak.config is filled using keycloak.getConfig() where keycloak is the keycloak-connect instance.

The templating engine correctly substitutes the variables into a link that leads to my keycloak instance, where I am presented with (the german equivalent of) this error message:

Unexpected error when handling authentication request to identity provider

(German:

Unerwarteter Fehler während der Bearbeitung der Anfrage an den Identity Provider.

)

There are no other identity providers configured.

Question

How to correctly make the call to my Keycloak to kick off an AIA, if the way described in the design document leads to this error?

Solution

  • After my own research, I now got it to work. The error message seems misleading because I don't have another identity provider configured on that instance.

    The kc_action parameter is expected to be in ALL CAPS. So

    `${keycloak.config.realmUrl}/protocol/openid-connect/auth?response_type=code&client_id=${keycloak.config.clientId}&redirect_uri=${new URLSearchParams("http://localhost:3000/account").toString()}&kc_action=update_profile`

    should be

    `${keycloak.config.realmUrl}/protocol/openid-connect/auth?response_type=code&client_id=${keycloak.config.clientId}&redirect_uri=${new URLSearchParams("http://localhost:3000/account").toString()}&kc_action=UPDATE_PROFILE`

    This needs to be documented somewhere for people to find, because I didn't see it explicitly mentioned in the "docs".

    I also raised an enhancement request to the Keycloak documentation to document AIAs officially