I’m trying a quick POC with Keycloak.
This includes Keycloak 8.0.1 and a tiny Spring Boot Client App.
I have setup the system, so that native keycloak users can login via OIDC to the client app.
Further I followed this doc
to integrate external custom users. These users can login, but OIDC fails.
This is what Keycloak logs:
18:31:38,497 WARN [org.keycloak.events] (default task-3) type=CODE_TO_TOKEN_ERROR, realmId=torment, clientId=test-client, userId=f:ff4c66e5-2a6f-465c-8418-200648a49973:dfb_user, ipAddress=127.0.0.1, error=not_allowed, grant_type=authorization_code, code_id=bf509e42-135e-4fc1-8559-de87c8ad2c28, client_auth_method=client-secret
The client error is:
[invalid_scope] Client no longer has requested consent from user
I assume my UserModel is to bare-bones, to create an id_token from it.
I couldn’t really find info on what to implement to make it work though.
tldr; What do I have to implement to do to make a custom User Storage SPI work for OIDC?