When using the latest bitnami/keycloak image with a native application (public client), I keep receiving a weird error when exchanging my authorization_code for a token: 400: invalid_grant, User session not found, but only on the first attempt before any sessions exist for the user.
First, I make a call to the auth endpoint with:
response_type=codecode_challenge_method=S256scope=openid%20emailprompt=consentredirect_uri=scheme://loginkc_idp_hint=googlecode_challenge=<code challenge generated from RFC-compliant code verifier>state=<guid>
Then, I try to exchange the received code for a token by calling the token endpoint (POST) with:
grant_type=authorization_codeclient_id=<my client id>code_verifier=<RFC-compliant code verifier used to generate the code_challenge>code=<code>redirect_uri=scheme://login
Oddly, if the user doesn't already have an active session, the token call returns a 400:
{
"error":"invalid_grant",
"error_description":"User session not found"
}
If I look in Keycloak after the auth call completes, but before the token call, I can see that the session does in fact exist. In fact, if I start the whole process over now that the session exists, I suddenly get a 200, along with my tokens.
What am I missing?