"No access_token" trying to integrate Keycloak with ClassLink

Trying to integrate Keycloak (12.0.2) with ClassLink OAuth2. After creating corresponding OpenID Connect IdP in Keycloak and trying to authenticate, I get generic error at Keycloak after successfully authenticating at IdP.

The below is shown in logs:

2021-04-07 12:15:19,631 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-4) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.

Client secret may be correct (at least it’s displayed as asterisks)
Time is set up correctly on Keycloak server

What can be other possible causes? The following trace (in the log) is rather huge - please let me know what additional data I should provide.

Thank you.

Of course you should to provide that trace. You need be aware of OAuth2 != OIDC. Are you sure that “ClassLink OAuth2” is OIDC compliant IDP?

Hard to say about the compatibility. I have problems with both SAML and OAuth2//OpenID Connect trying to integrate Keycloak with ClassLink.

For reference:


Here are Keycloak logs after the mentioned error happens.

You have nice backtrace, so you can track it. E.g.

at org.keycloak.broker.oidc.OIDCIdentityProvider.verifyAccessToken(OIDCIdentityProvider.java:515)

So accessToken is null and backtrack it back to find more details.

Well, the studies reveal strange issue. When I enable debug-level logging at Keycloak and intercept the moment it reaches Token URL, the below is seen:

Executing request POST /oauth2/v2/token HTTP/1.1
Target auth state: UNCHALLENGED
Proxy auth state: UNCHALLENGED
http-outgoing-0 >> POST /oauth2/v2/token HTTP/1.1
http-outgoing-0 >> Content-Length: 728
http-outgoing-0 >> Content-Type: application/x-www-form-urlencoded
http-outgoing-0 >> Host: launchpad.classlink.com
http-outgoing-0 >> Connection: Keep-Alive
http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.13 (Java/1.8.0_282)
http-outgoing-0 >> Accept-Encoding: gzip,deflate
http-outgoing-0 >> "POST /oauth2/v2/token HTTP/1.1[\r][\n]"
http-outgoing-0 >> "Content-Length: 728[\r][\n]"
http-outgoing-0 >> "Content-Type: application/x-www-form-urlencoded[\r][\n]"
http-outgoing-0 >> "Host: launchpad.classlink.com[\r][\n]"
http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]"
http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5.13 (Java/1.8.0_282)[\r][\n]"
http-outgoing-0 >> "Accept-Encoding: gzip,deflate[\r][\n]"
http-outgoing-0 >> "[\r][\n]"
http-outgoing-0 >> "client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&code=c1618927455070e43ed97293dc1c9ca715cedac5d15792&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fkeycloak.chengtsui.co%2Fauth%2Frealms%2Fsandbox%2Fbroker%2Fchengtsui_openid_test%2Fendpoint&client_assertion=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIn0.eyJleHAiOjE2MTg5Mjc1MTUsImlhdCI6MTYxODkyNzQ1NSwianRpIjoiODViYTg2NWUtYWE5Ni00NGY0LWIwODUtMzY5MmM1ZGMwODk2IiwiaXNzIjoiYzE2MTg0OTcyODY2MTUyZDI1Y2QxZTdiZGFjZDAwNGZiZWNhYjY0MTRjMTQiLCJhdWQiOiJodHRwczovL2xhdW5jaHBhZC5jbGFzc2xpbmsuY29tL29hdXRoMi92Mi90b2tlbiIsInN1YiI6ImMxNjE4NDk3Mjg2NjE1MmQyNWNkMWU3YmRhY2QwMDRmYmVjYWI2NDE0YzE0IiwidHlwIjoiSldUIn0.4rNozD95yHh0rK2DmzD7dfQG7ASX-_Q1SlfwcUGcaJk"
http-outgoing-0 << "HTTP/1.1 400 Bad Request[\r][\n]"
http-outgoing-0 << "Date: Tue, 20 Apr 2021 14:04:15 GMT[\r][\n]"
http-outgoing-0 << "Content-Type: application/json; charset=utf-8[\r][\n]"
http-outgoing-0 << "Content-Length: 87[\r][\n]"
http-outgoing-0 << "Connection: keep-alive[\r][\n]"
http-outgoing-0 << "X-Powered-By: Express[\r][\n]"
http-outgoing-0 << "Content-Security-Policy: frame-ancestors 'self' *.classlink.com *.classlink.io[\r][\n]"
http-outgoing-0 << "Strict-Transport-Security: max-age=31536000; includeSubDomains[\r][\n]"
http-outgoing-0 << "Vary: Origin, X-HTTP-Method-Override, Accept-Encoding[\r][\n]"
http-outgoing-0 << "set-cookie: i18next=en; path=/; expires=Wed, 20 Apr 2022 14:04:15 GMT[\r][\n]"
http-outgoing-0 << "set-cookie: i18next=en; path=/; expires=Wed, 20 Apr 2022 14:04:15 GMT[\r][\n]"
http-outgoing-0 << "set-cookie: connect.sid=s%3AJ4M9VmTOAI0SIQ677Zawowp7ps-tYgh8.f5OrVDep48j0tMpu48tP%2FLev9CHrZQd46c1%2F5vd2pkM; Path=/; HttpOnly; Secure[\r][\n]"
http-outgoing-0 << "Cache-Control: no-store[\r][\n]"
http-outgoing-0 << "Pragma: no-cache[\r][\n]"
http-outgoing-0 << "[\r][\n]"
http-outgoing-0 << "{[\n]"
http-outgoing-0 << "  "error": "invalid_request",[\n]"
http-outgoing-0 << "  "error_description": "client secret can't be blank"[\n]"
http-outgoing-0 << "}"

Client authentication is set to “Client secret as jwt”, so I am somewhat puzzled now why the IdP requires client secret.

Fixed. I managed to establish Keycloak to ClassLink integration.