No way for external IdP (Google) and Postman?


Sorry if dumb question but 've spent 2 days on something what should be simple but have no clue why it doesn’t work:
I’m configuring Keycloak as IdP and access provider i.e. I want login form to make possible to log in using “built in” account as well as using external IdP. I’ve added Google Identity Provider to my realm, configure it with G. client id, secret and redirect uri. Added a client of “OpenID Connect” type to realm.
All of the above works like a charm when I log in as “build -in” user.

No matter how I do the additional configuration I always have “Invalid format of the code” when trying to get id and access token for this client from Keycloak when login with Google.

The integration with Google is OK, as I can login to Google and can see the code post-ed back to keycloak endpoint http://localhost:8080/realms/here-my-realm/broker/google/endpoint
What is the problem, as far I can see is that Keyloack doesn’t exchange Google’s code to Google’e tokens but tries to exchange Google’e code to own token directly:
POST http://localhost:8080/realms/here-my-realm/protocol/openid-connect/token
Request Body
grant_type: “authorization_code”
code: “4/0AWtgzh7fjZ8UsHarsHtImVaAYvwM5S2V8cByxB_XXXXglceBDdpWvzqanX0pkId8lCVLnA”
redirect_uri: “localhost:44300-signin-oidc”
code_verifier: “t63OQ2OvCLwkBlGnfzU_dXGOhieDZQJVXXXXXX”

what obviously can’t work.
Apparently, the loop to exchange Google’s code to Google’s token, login user and emit Keycloak code is missing.
My impression was that when choosing Google specific IdP I don’t have to configure anything else, but maybe I’m wrong: Post login flow is empty for this IdP?

The integration with Google is OK, IMO, as I can log in to Keycloak console via Google with this setup.
So, maybe it is a matter of using Postman? But it fails when using Insomnia too…

The setup is done on latest Quarkus image.

Any help appreciated!

1 Like

Answer is: yes, there is a way!

My first understanding of the situation was wrong (that Keycloak doesn’t exchange Google’s code to Google’s token …), now I know it is the Postman which prematurely tries to exchange Google’s code to Keycloak token.

Solution here is to use “Authorize in browser” option in Postman. Then it works like a charm :slight_smile:

1 Like

Hi TomRom.

Could you share your Postman configuration of getting access token for a Google login? I feel I’m doing something wrong as flow is not complete in my case.

Thank you in advance!

1 Like

Got this problem and login in with browser worked like a charm!
Aghalaryan, its just normal configuration