Unexpected error when handling authentication request to identity provider after upgrade 21.0.1

Hi Community,

I need some help to secure my application because after upgrading my keycloak instance to version 21.0.1 (the last one) from the 16.1, I’m facing the error below trying to authentication client on this endpoint:

realms/"myrealm"/protocol/openid-connect/auth

It should ask for username/password with a login mask UI, instead I receive an exception:

Unexpected error when handling authentication request to identity provider.

Looking at the logs this is the first part of the Exception stack:

2023-03-21 10:23:17,275 WARN  [org.keycloak.services] (executor-thread-50) KC-SERVICES0013: Failed authentication: java.lang.NullPointerException
        at org.jboss.resteasy.plugins.server.BaseHttpRequest.getFormParameters(BaseHttpRequest.java:53)
        at org.jboss.resteasy.plugins.server.BaseHttpRequest.getDecodedFormParameters(BaseHttpRequest.java:74)
        at org.keycloak.services.HttpRequestImpl.getDecodedFormParameters(HttpRequestImpl.java:62)
        at org.keycloak.authentication.authenticators.directgrant.ValidateUsername.retrieveUsername(ValidateUsername.java:161)
        at org.keycloak.authentication.authenticators.directgrant.ValidateUsername.authenticate(ValidateUsername.java:52)
        at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:445)
        at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:249)
        at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1025)
        at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:887)
        at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:153)
        at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:363)

With the following error:

2023-03-21 10:23:17,361 WARN  [org.keycloak.events] (executor-thread-50) type=LOGIN_ERROR, realmId=*******, clientId=*****,
userId=null, ipAddress=*******, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, response_typ
e=code, redirect_uri=************, code_id=64b4911b-e9bf-4574-a6c6-bdd62951f23a, respons
e_mode=query, authSessionParentId=64b4911b-e9bf-4574-a6c6-bdd62951f23a, authSessionTabId=XguMC_VfO70

For sure, it is some my lack of knowledge but I cannot understand while it is expecting username/password since I’m going on such endpoint to insert them. Therefore it raises an exception since it found “null” the fields username/password.

Furthermore, before it was not necessary to add in the URI query the parameters response_type, scope, redirect_uri, client_id, instead now they are compulsory. I understand that in the new Keycloak version, they are more strict regarding OAuth RFC (i.e. scope parameter) but I don’t understand the other query parameters requested.

The openid-client client had been imported from the previous version as well as realm configuration, when it is used to work. Nevertheless, I tried different configuration and query parameters without success.

How do I solve this problem?

Hi, I’m facing exact same problem.
Did you succeed with it?

Dear Aghalaryan,

I was overwriting the authentication flow in the client’s advanced setting with a not correct one.
I solved finding this setting and set up the default flow indicated for my case.