I’m using a GitHub OAuth Workflow in Keycloak and can successfully initiate the workflow. In my GitHub OAuth application, I have the callback URL set to http://localhost:8080/realms/keycloak-express/broker/github/endpoint. I can see the user is both logged into GitHub, and has the application available under the list of authorized OAuth Apps.
The error I get back when using Postman to query Keycloak for the GitHub access token is "errorMessage": "Client [keycloak-express] not authorized to retrieve tokens from identity provider [github]."
Thanks for the reply xgp. I tried to follow the keycloak docs in the link I’d supplied had done the steps below.
I created Client Role with the name read-token. When you do this it also creates a read-token role under the Broker client as well.
I add this to the user I want to authorize through GitHub using the Role mapping tab and choosing the specific client token ({Realmread-only, as opposed to the generic broker token).
I’m also passing the read-only scope as an additional scope based on this statement in the docs “…and the client application must have that role within its scope.” Regardless of passing it or not, I still get the message.
Thanks xgp. I get the same error when I’d assigned the broker version previously: User [d1c4cf70-36ed-4355-9788-39c9daa6a46d] is not associated with identity provider [github]. When I look at the user’s Identity Provider tab, there is a Link account button. Should I manually link it? If I try to link it, it asks for a User ID and Username. When I enter the keycloak supplied User ID and Username, it returns a 500 internal server error when I query for the github token.
Hi Garth, sorry I didn’t respond earlier, but your response was eaten by Mimecast. Thank you so much, it worked! The thing I was doing wrong is that I was logged in as admin when I tried linking the user’s account to GitHub. Your mentioning of this step was the light bulb moment. After I logged in as the specific user and linked, it worked. Have a great holiday season!
