Keycloak - 500 Internal Server Error- when validating a token generated by a confidential client

Question

In the Keycloak server, we created a client that has an Access Type of confidential. By calling /protocol/openid-connect/token endpoint with the client_id and the client_secret, we got the access_token, which was supposed to authenticate the application (client) in question in the follow-up requests.

Even though the token is valid (which I double-checked by calling the introspect endpoint), I am getting a 500 Error from the server for any request that has this access_token

So in short:

• Calling this endpoint <base_url>/auth/realms/<realm>/protocol/openid-connect/token gives an access_token
  • Provided data: client_id,client_secret, grant_type: "client_credentials"
• Calling <base_url>/auth/realms/<realm>/protocol/openid-connect/userinfo gives 500Internal Server Error

{
    "error": "unknown_error"
}

Any insights on what the issue could be?

Answer 1

It is not quite clear from the question how you are sending the token to the userInfo endpoint, Provided that the access token you have received is valid make sure that you are sending the token in the request header. Try the below curl command:-

curl 
     -X GET 
     -H "Authorization: Bearer <Access Token>" 
     -H "Content-type: application/json" 
     http://{hostname}/auth/realms/{realm_name}/protocol/openid-connect/userinfo

Answer 2

This should be fixed in Keycloak 13.0.0. See this commit: https://github.com/keycloak/keycloak/commit/056b52fbbe5af06aab957d37405215f1f4ed6ecd