Not able to perform the authrorization_code grant using Keycloak

Hi everyone,

I am not sure I am doing anything wrong, but it seems like the authrorization_code OAuth2 grant is systematically failing for me (I am using the latest Keycloak version: 15.0.2). I remember it was working properly a while back (around version 8 and 10). Here are the steps I am following:

  1. I first navigate to the authorization url:
    http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/auth?client_id=web&redirect_uri=https%3A%2F%2Fhttpbin.org%2F&response_type=code&scope=openid

I am using https://httpbin.org/ as a redirect uri for demo purposes.

  1. After entering the user credentials, I am redirected successfully to the redirect url with a code query parameter: httpbin.org

so far so good.

  1. when I try to obtain the token using the code:
curl -v -u $CLIENT_ID:$CLIENT_SECRET -d "code=a1d50f9d-834e-4b19-b0eb-a547ad6e66c0.664cae41-f35c-4ebc-bed9-e29a5d1bfab4.c5d01df1-4691-4f7d-af0f-11b7fc59a14b&grant_type=authorization_code&redirect_uri=https://httpbin.org/" http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/token

I get this message, no matter how I tried: {"error":"invalid_grant","error_description":"Code not valid"}

in the Keycloak logs, this message shows up:

keycloak_1  | 16:44:12,498 WARN  [org.keycloak.protocol.oidc.utils.OAuth2CodeParser] (default task-16) Code 'xxxxxxxx' already used for userSession '664cae41-f35c-4ebc-bed9-e29a5d1bfab4' and client 'xxxxxxxxxx'.
keycloak_1  | 16:44:12,502 WARN  [org.keycloak.events] (default task-16) type=CODE_TO_TOKEN_ERROR, realmId=myrealm, clientId=web, userId=null, ipAddress=172.18.0.1, error=invalid_code, grant_type=authorization_code, code_id=xxxxxxxxxxx, client_auth_method=client-secret

As far as I know I am following the flow described by the OAuth2 specs and also described in the keycloak docs: Securing Applications and Services Guide

Any suggestion is more than welcome.

Thanks.

it turns out I needed to escape the redirect_uri manually (curl does not seem to do this automatically), after trying with redirect_uri=https%3A%2F%2Fhttpbin.org%2F it seems to work. The error message was a bit misleading.