I am getting “no valid access_token” errors when trying to use OpenID Connect identity provider, which can imply client secret might be invalid.
When checking it I noticed that string of 10 asterisks is shown instead of client secret field. Even if I insert correct client secret and click “Save” in Web console, next time I see again 10 asterisks.
Keycloak version 12.0.2, running in standalone mode. How do I make it store and use correct client secret?
and yes, it’s NOT read-only. If I enter something like '${vault.ID}, it remains as I entered it. If I enter secret as it is, alphanumeric, it’s turned into asterisks.
How am I expected to have correct client secret in such a case?
Can you click the ‘eye’ button on the right hand side of the text box to reveal the Client Secret - it looks like it’s being protected (shown as asterixes) unless you actively click to view it.
Odd! Have just tested this after saving and I see the same 10 asterisks (previously did without clicking save), I can only guess that the goal is to never reveal that secret once it’s first created but if that’s the case then the UI needs some indication of that.
Sure, you are talking about Identity Provider Client secret and I was talking about actual OIDC Client secret (my bad). I’m also guessing that the goal is to never reveal that secret once is saved. There is a way to enter correct client secret, but there is no (easy) way to retrieve it.
I would say “no valid access_token” may indicates many problems: wrong time, incorrect issuer, … It doesn’t need to be a problem with secret. I would check Keycloak log first.
Yes, it was saved correctly if you typed it correctly. But you can’t verify it in the Web console visually, because API sends masked secret value ******* back to console:
You can also check in the database as it looks like it’s stored in plain text in there, if you look in the table IDENTITY_PROVIDER_CONFIG you’ll see a value for a row with NAME=clientSecret, eg: