Keycloak SSO Issue: Invalid Request and clientId=null in Identity Broker

1

Hello community,

I’m setting up Keycloak SSO across two realms with a React application, and I’m consistently getting an Invalid Request error with clientId=null during the Identity Brokering flow. Any insights would be greatly appreciated.

1. Architecture & Goal:

My setup involves a central identity realm (corporate-id ) and an application realm (comlog-dev ) for a React app (vendas-app ). The goal is seamless SSO from an onboarding-frontend (authenticated via NestJS to corporate-id ) to vendas-app-frontend .

  • Keycloak Setup (Docker, PostgreSQL, KC_LOG_LEVEL=DEBUG ):
    • corporate-id Realm (IdP): Contains usuario.teste in Vendas_Gerente group. Uses groups-scope client scope. Has a confidential client broker-comlog-dev for brokering and onboarding-api-backend for direct access grants.
    • comlog-dev Realm (SP/Broker): Contains vendas-manager role. Has a public client vendas-app (Redirect URI: http://localhost:3002/* , Web Origin: http://localhost:3002 , CORS Enabled). Has an Identity Provider login-centralizado pointing to corporate-id (Client ID: broker-comlog-dev , matching secret). Critical IDP settings: Use PKCE: Off , Store tokens: On , Stored tokens readable: On , Disable nonce: Off , Default Scopes: groups-scope openid profile email . A mapper translates groups:Vendas_Gerente (from corporate-id ) to vendas-app/vendas-manager (in comlog-dev ).
  • React Frontends:
    • onboarding-frontend (http://localhost:3000): Logs into corporate-id via NestJS. Has a button to redirect to vendas-app .
    • vendas-app-frontend (http://localhost:3002): Uses keycloak-js with onLoad: 'check-sso' .

2. Expected SSO Flow:

  1. User logs into onboarding-frontend with usuario.teste (session established in corporate-id ).
  2. User clicks “Go to Vendas App” on onboarding-frontend .
  3. Browser redirects to comlog-dev broker endpoint (e.g., http://localhost:8080/realms/comlog-dev/broker/login-centralizado/endpoint?client_id=vendas-app&redirect_uri=http%3A%2F%2Flocalhost%3A3002%2F&response_type=code&scope=openid%20profile%20email%20groups-scope&state=<random_state> ).
  4. Keycloak (as broker) should silently authenticate via corporate-id , map roles, and redirect to vendas-app-frontend .
  5. vendas-app-frontend should automatically log in the user.

3. The Problem:

After clicking “Go to Vendas App”, I’m redirected to a Keycloak error page saying “We are sorry… Invalid Request”.

onboarding-frontend works fine.

4. Keycloak Debug Logs:

The most relevant log line indicates:

DEBUG [org.keycloak.services.resources.IdentityBrokerService] Invalid request. Authorization code, clientId or tabId was null. Code=<auth_code>, clientId=null, tabID=null
WARN  [org.keycloak.events] type="IDENTITY_PROVIDER_LOGIN_ERROR", ..., error="invalidRequestMessage"
ERROR [org.keycloak.services.resources.IdentityBrokerService] invalidRequestMessage

What I’ve verified:

  • The URL generated by onboarding-frontend (via debugger) is correct and contains response_type=code and state . Example: http://localhost:8080/realms/comlog-dev/broker/login-centralizado/endpoint?client_id=vendas-app&redirect_uri=http%3A%2F%2Flocalhost%3A3002%2F&response_type=code&scope=openid%20profile%20email%20groups-scope&state=krtsolhfdbepsvo64jc6i
  • Browser cache and site data for localhost have been cleared.
  • All client and IDP configurations (Use PKCE: Off , Store tokens: On , Stored tokens readable: On , Disable nonce: Off , correct Redirect URIs/Web Origins) have been double-checked against the provided guide.
  • Keycloak is restarted via docker compose down and up -d after changes.

5. My Question:

Why are clientId and tabId null in the IdentityBrokerService when the user redirects back from the corporate-id to the comlog-dev broker, despite the initial request URL being correct? Is there a session/cookie configuration or header issue causing the context to be lost?

Any help or suggestions for debugging this would be greatly appreciated!

Thanks!