We have a Keycloak cluster with 2 nodes running version 10.0.1. One team has a client that uses the openID connect protocol, and the standard flow is enabled (see attachment-
). Using this client, users experience an error after login about 0.5% of logins, where they are directed to the application’s standard error page. These users can normally access the application without issue. The application uses Spring Security. Because many of the users are not technical, we do not know what the error says except that someone has seen “OAuth error”. The team is working on adding logging. These errors often (but not exclusively) occur on a mobile device running Android.
However, in the Keycloak logs, we see a pattern:
During this login attempt, no errors are logged, despite the fact that OAuth errors normally are logged.
Four messages are logged:
- type=LOGIN, realmId=AD, clientId=xxxxx, userId=xxxxxxxxxxx, ipAddress=xxxxxxxx, auth_method=openid-connect, redirect_uri=xxxxxxxxxxxx, consent=no_consent_required, code_id=xxxxxxxxx, username=xxx, authSessionParentId=xxxxxxxxxxx, authSessionTabId=xxxxx
– this first message does not have a field “auth_type=code”. I am not sure where “auth_type=code” comes from.
- type=LOGIN, realmId=AD, clientId=xxxxxx, userId=xxxxxxx, ipAddress=xxxxxx, auth_method=openid-connect, auth_type=code, redirect_uri=xxxxxxxx, consent=no_consent_required, code_id=xxxxxxx, username=xxxx, authSessionParentId=xxxxxxxx, authSessionTabId=xxxx
— this second message does have a field “auth_type=code”. It comes around a minute after the first, and then the third and fourth messages come immediately, which seem to indicate a normal login.
type=CODE_TO_TOKEN, realmId=AD, clientId=xxxxx, userId=xxxxxxxxxxxx, ipAddress=xxxxx, token_id=xxxxxx, grant_type=authorization_code, refresh_token_type=Refresh, scope=‘email profile’, refresh_token_id=xxxxxxxx, code_id=xxxxxxxxx, client_auth_method=client-secret
type=USER_INFO_REQUEST, realmId=AD, clientId=xxxxxxx, userId=xxxxxxxxx, ipAddress=xxxxxx, auth_method=validate_access_token, signature_required=false, username=xxxxx
It obviously isn’t much information, but we are trying to figure out if these logs (particularly the two LOGIN events) can indicate a problem with the application configuration or the Keycloak client/configuration - or if they don’t indicate anything in particular. Normally, a login flow gives three messages - LOGIN, CODE_TO_TOKEN and USER_REQUEST_INFO. We haven’t been able to replicate any issue in a test environment, as it only occurs sporadically.