Authentication fails with federated user if "Consent required" and "Display Client On Consent Screen" are on

Solution Unverified - Updated -

Issue

Customer develops custom user federation by User Storage SPI.
When this customized user federation is enabled and if the followings are set in client configuration,

  • "Consent required" on
  • "Display Client On Consent Screen" on

authentication fails with CODE_TO_TOKEN_ERROR while getting token. Here are corresponding DEBUG &TRACE level logging.

2020-07-06 10:58:59,040 DEBUG [org.keycloak.protocol.oidc.TokenManager] (default task-16) Client 'app-profile-jsp' no longer has requested consent from user '****' for client scope 'app-profile-jsp'
2020-07-06 10:58:59,041 TRACE [org.keycloak.events] (default task-16) type=CODE_TO_TOKEN_ERROR, realmId=customUserFederation, clientId=app-profile-jsp, userId=f:b8f41fc1-4fd2-48d1-8214-79bec1ec8009:*****, ipAddress=127.0.0.1, error=not_allowed, grant_type=authorization_code, code_id=4c7d4a5d-942e-45d8-b12e-c44643a1eb69, client_auth_method=client-secret, requestUri=http://localhost:8080/auth/realms/customUserFederation/protocol/openid-connect/token, cookies=[]

This issue happens with all of users when customized user federation is enabled.

Environment

  • Red Hat Single Sign-On (RH-SSO)
    • 7.2.7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content