Can't use access token issued by authorized_code grant for another client

Hello, and thank you for reading this.
My setup is like this - I have a client setup in keycloak that is used by the UI for authentication. No authorization. This client is public.
I have another client setup as the resource server (authorization enabled ) in keycloak. This client is used by the backend.
The UI get’s an access_token through the grant_type=authorization_code and then calls the backend with this access_token. I then try to authorize the backend using this token in order to later get an RPT. But this fails with {"error":"invalid_grant","error_description":"Invalid bearer token"}.
I looked throught the source code and it seems that the error is issued when the token issued by a public client and the session should be fetched : github
This line fails : authzClient.authorization(token)
Where token is the UI fetched token.

If I do an exercise and issue a token for the UI client through the grant_type=password then the line above does not fail.

So - can somebody please explain what I’m doing wrong ?

If everybody ever reads this - the problem was that the issuer was different in the UI than the auth-server-url provided for the backend .
“iss”: “/y-keycloak/realms/my-realm”
VS
“iss”: “http://keycloak:8090/y-keycloak/realms/my-realm
This is because docker network.
https:// issues.jboss.org/browse/KEYCLOAK-6073 is a solution

1 Like