KeyCloak 在身份验证代码流错误后重定向回身份提供者

Posted 2023-02-19

技术标签:

【中文标题】KeyCloak 在身份验证代码流错误后重定向回身份提供者【英文标题】：KeyCloak redirecting back to Identity Provider after Authentication Code Flow error 【发布时间】：2020-12-28 01:31:12 【问题描述】：

我使用 KeyCloak 作为我的应用程序的 OAuth2 身份验证节点。但真正的身份验证和授权发生在自定义（默认）身份提供者中。

客户端应用程序（通过用户）接收到授权码（用于获取令牌），成功流程。

但是，每当我的 IdP（身份提供者）返回错误时，KeyCloak 都会重试将用户重定向回 IdP 循环的过程，而不是将此错误传递回客户端应用程序。

是否有配置或参数来纠正这个问题？

身份提供者配置

重定向：

客户端应用程序将用户重定向到 KeyCloak：https://keycloak/auth/realms/app/protocol/openid-connect/auth?client_id=1&response_type=code&redirect_uri=http://localhost:8100 内部 keycloak 重定向... KeyCloak 将用户重定向到我的 IdP：https://myidp/auth?scope=openid&state=SsjEd0IPdoG4EMPXwIPOtcTbxvrvZo3x9V2u6y3d3QE.J_i69mzjjS8.1&response_type=code&client_id=keycloak-client-id&redirect_uri=http%3A%2F%2FkeyCloth %2Fbroker%2Fmy-idp%2Fendpoint&uuid=123&nonce=5pe9y4dIpmPHghQbsZrhAA My IdP 将用户重定向到 KeyCloak，但出现错误：https://keycloak/auth/realms/app/broker/my-idp/endpoint?error_description=expired%20uuid&state=SsjEd0IPdoG4EMPXwIPOtcTbxvrvZo3x9V2u6y3d3QE.J_i69mzjjS8.1&error=invalid_request KeyCloak 再次将用户重定向到 My IdP (¬¬)：https://myidp/auth?scope=openid&state=WINKLu_z9MDPwShk_mJE9ri7dxMgHN9xNoiTDskku90.J_i69mzjjS8.1&response_type=code&client_id=keycloak-client-id&redirect_uri=http%3A%2F%2F 2Fauth%2Frealms%2Fapp%2Fbroker%2Fmy-idp%2Fendpoint&uuid=123&nonce=0IcmhzImj9HpAudIk799hg

来自 KeyCloak 的跟踪

15:03:31,045 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper
15:03:31,045 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false
15:03:31,045 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper  commit
15:03:31,045 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end
15:03:31,045 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1466/0x00000008414e4440
15:03:36,045 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper
15:03:36,049 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false
15:03:36,052 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper  commit
15:03:36,052 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end
15:03:36,052 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1466/0x00000008414e4440
15:03:41,045 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper
15:03:41,045 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false
15:03:41,045 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper  commit
15:03:41,046 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end
15:03:41,046 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1466/0x00000008414e4440
15:03:42,366 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) new JtaTransactionWrapper
15:03:42,366 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) was existing? false
15:03:42,367 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) realm by name cache hit: app
15:03:42,367 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: app
15:03:42,367 TRACE [org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint] (default task-115) Processing @GET request
15:03:42,367 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by name cache hit: 1
15:03:42,367 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,367 DEBUG [org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint] (default task-115) PKCE non-supporting Client
15:03:42,367 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) 1 cookie found in the requests header
15:03:42,367 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) 1 cookie found in the cookies field
15:03:42,367 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-115) Found AUTH_SESSION_ID cookie with value 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6.keycloak-0
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 DEBUG [org.keycloak.protocol.AuthorizationEndpointBase] (default task-115) Sent request to authz endpoint. Root authentication session with ID '7db70911-e7ce-41f9-9c43-f01ca4d3d9e6' exists. Client is '1' . Created new authentication session with tab ID: ekb7z3lW0c8
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,368 TRACE [org.keycloak.keys.DefaultKeyManager] (default task-115) Active key found: realm=app kid=8f2e9d61-d473-46b3-9b8f-fe95161b4eae algorithm=HS256 use=SIG
15:03:42,368 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-115) AUTHENTICATE
15:03:42,368 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-115) AUTHENTICATE ONLY
15:03:42,368 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,368 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,368 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) processFlow: browser
15:03:42,368 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) check execution: 'auth-cookie', requirement: 'ALTERNATIVE'
15:03:42,368 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) authenticator: auth-cookie
15:03:42,368 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-115) Going through the flow 'browser' for adding executions
15:03:42,368 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-115) Selections when trying execution 'auth-cookie' : [ authSelection - auth-cookie,  authSelection - identity-provider-redirector]
15:03:42,368 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) invoke authenticator.authenticate: auth-cookie
15:03:42,368 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) Couldnt find cookie 0, trying 1
15:03:42,368 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) Could not find cookie: KEYCLOAK_IDENTITY
15:03:42,368 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) authenticator ATTEMPTED: auth-cookie
15:03:42,368 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,368 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) check execution: 'identity-provider-redirector', requirement: 'ALTERNATIVE'
15:03:42,368 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) authenticator: identity-provider-redirector
15:03:42,368 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-115) Going through the flow 'browser' for adding executions
15:03:42,368 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-115) Selections when trying execution 'identity-provider-redirector' : [ authSelection - identity-provider-redirector]
15:03:42,368 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) invoke authenticator.authenticate: identity-provider-redirector
15:03:42,368 TRACE [org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator] (default task-115) Redirecting: default provider set to my-idp
15:03:42,368 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,368 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,368 DEBUG [org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator] (default task-115) Redirecting to my-idp
15:03:42,368 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,368 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,368 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper  commit
15:03:42,368 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper end


15:03:42,436 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) new JtaTransactionWrapper
15:03:42,436 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) was existing? false
15:03:42,436 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) realm by name cache hit: app
15:03:42,436 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: app
15:03:42,437 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-115) Sending authentication request to identity provider [my-idp].
15:03:42,437 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (default task-115) Will use client '1' in back-to-application link
15:03:42,437 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by name cache hit: 1
15:03:42,437 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,437 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) 1 cookie found in the requests header
15:03:42,437 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) 1 cookie found in the cookies field
15:03:42,437 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-115) Found AUTH_SESSION_ID cookie with value 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6.keycloak-0
15:03:42,437 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,437 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,437 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,437 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-115) Authorization code is valid.
15:03:42,437 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,437 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,440 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,440 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-115) Identity provider [org.keycloak.broker.oidc.OIDCIdentityProvider@530bbebe] is going to send a request [org.jboss.resteasy.specimpl.BuiltResponse@12aba942].
15:03:42,440 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper  commit
15:03:42,440 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper end
15:03:42,741 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) new JtaTransactionWrapper
15:03:42,741 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) was existing? false
15:03:42,741 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) realm by name cache hit: app
15:03:42,741 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: app
15:03:42,742 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-115) invalid_request for broker login oidc
15:03:42,742 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (default task-115) Will use client '1' in back-to-application link
15:03:42,742 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by name cache hit: 1
15:03:42,742 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,742 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) 1 cookie found in the requests header
15:03:42,742 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) 1 cookie found in the cookies field
15:03:42,742 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-115) Found AUTH_SESSION_ID cookie with value 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6.keycloak-0
15:03:42,742 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,742 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,742 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,742 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-115) Authorization code is valid.
15:03:42,742 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,742 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-115) AUTHENTICATE
15:03:42,742 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-115) AUTHENTICATE ONLY
15:03:42,742 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,742 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,742 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) processFlow: browser
15:03:42,742 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) check execution: 'auth-cookie', requirement: 'ALTERNATIVE'
15:03:42,742 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) execution 'auth-cookie' is processed
15:03:42,742 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) check execution: 'identity-provider-redirector', requirement: 'ALTERNATIVE'
15:03:42,742 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) authenticator: identity-provider-redirector
15:03:42,742 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-115) Going through the flow 'browser' for adding executions
15:03:42,742 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-115) Selections when trying execution 'identity-provider-redirector' : [ authSelection - identity-provider-redirector]
15:03:42,742 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) invoke authenticator.authenticate: identity-provider-redirector
15:03:42,742 TRACE [org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator] (default task-115) Redirecting: default provider set to my-idp
15:03:42,742 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,742 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,742 DEBUG [org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator] (default task-115) Redirecting to my-idp
15:03:42,742 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,742 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,743 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper  commit
15:03:42,743 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper end


15:03:42,802 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) new JtaTransactionWrapper
15:03:42,802 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) was existing? false
15:03:42,802 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) realm by name cache hit: app
15:03:42,802 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: app
15:03:42,802 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-115) Sending authentication request to identity provider [my-idp].
15:03:42,802 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (default task-115) Will use client '1' in back-to-application link
15:03:42,802 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by name cache hit: 1
15:03:42,802 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,802 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) 1 cookie found in the requests header
15:03:42,802 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) 1 cookie found in the cookies field
15:03:42,802 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-115) Found AUTH_SESSION_ID cookie with value 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6.keycloak-0
15:03:42,802 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,802 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,802 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,802 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-115) Authorization code is valid.
15:03:42,803 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,803 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,803 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,803 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-115) Identity provider [org.keycloak.broker.oidc.OIDCIdentityProvider@68b04511] is going to send a request [org.jboss.resteasy.specimpl.BuiltResponse@1f1ebc48].
15:03:42,803 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper  commit
15:03:42,803 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper end

【问题讨论】：

在 keycloak 11.0.2 上面临同样的问题。听起来浏览器流程中有问题，应该中止 【参考方案1】：

我确定了我的问题的原因，不幸的是它看起来与你的不同。您应该发布您配置的流程（浏览器流程、首次登录流程）。

在我的例子中，id 提供者返回了一个access_denied 错误，该错误的解释与其他错误不同：keycloak 尝试显示登录表单，您可以在其中选择提供者；但在我的浏览器流程中，这被禁用了，我强制重定向到 id 提供者。

为了避免循环，似乎我必须禁用“身份提供程序重定向器”或对其进行配置，以便用户可以选择哪一个。

这段代码处理 oauth 响应中的错误参数： https://github.com/keycloak/keycloak/blob/66dfa32cd569a7416de21b4dc04db212e8fccce5/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java#L461

问题在redhat jira上报告：https://issues.redhat.com/browse/KEYCLOAK-13274

【讨论】：

以上是关于KeyCloak 在身份验证代码流错误后重定向回身份提供者的主要内容，如果未能解决你的问题，请参考以下文章

在 Laravel 5 中进行身份验证后重定向

如何在.NET 中进行基本身份验证后重定向到 Pentaho 的主页？

React Router - 身份验证后重定向延迟

在 Glassfish 上进行领域身份验证后重定向

身份验证后重定向期间请求挂起

如何在使用 keycloak 进行身份验证时处理 uri 重定向