Hi! I get this error after logout from Wildfly application which is secured by Keycloak 21.0.2 with OIDC.
It does not happen always, but sometimes I get it. Could someone suggest what is wrong or how to handle it on my own not by adapter because I get white page with “Forbidden” message.
[Server:master_wpro] 10:25:03,286 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-145) failed to turn code into token
[Server:master_wpro] 10:25:03,286 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-145) status from server: 400
[Server:master_wpro] 10:25:03,287 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-145) {"error":"invalid_grant","error_description":"Code not valid"}
1 Like
i’m having the same issue and blocking my poc, anyone see a solution?
Verdict: The “Smoking Gun” is Found
Your debug logs confirm the exact issue. This is a classic conflict between Modern Keycloak (v26) and Legacy Adapters (EAP 7) regarding a new security standard (RFC 9207).
1. The Evidence (From your logs)
Look at this line in your log:
reason="Parameter 'redirect_uri' did not match...
What happened:
-
Keycloak v26 added a security parameter ?iss=... (Issuer) to the callback URL to prevent “Mix-Up Attacks” (Standard behavior in 2024+).
-
Your Legacy Adapter didn’t know this was a protocol parameter. It thought it was part of the page URL.
-
When the Adapter asked for the token, it told Keycloak: “I am at .../profile.jsp?iss=...”.
-
Keycloak rejected it because it expected the original clean URL: .../profile.jsp.
2. The Fix: Disable the “Issuer” Parameter
You need to tell Keycloak to stop sending this parameter to this specific legacy client.
-
Log in to Keycloak Admin Console.
-
Go to Clients → Click vanilla.
-
Click the Advanced tab (at the top).
-
Scroll down to the “OpenID Connect Compatibility Modes” section.
-
Toggle ON: Exclude Issuer From Authentication Response.
-
Click Save.