KC-SERVICES0013 error when using Forgerockas external IDP

benny4874 · February 3, 2023, 4:17pm

Hi there,
we are using keyckloak to broker our customer forgerock server as External IDP.
Everithing works fine in our development environment.
We authenticate against the test forgerock, as per our authentication flow we are immediatally redirect to the forgeRock login form.
When we deploy in our customer enviroment, keycloack will get an error and does not redirect us to the forgeRock Login form.

if we modify the authentication flow enabling the alternate login and password, we see keycloak login form and a button to login with extenal idp. By clicking on such button we go to FR login and everithig works fine.
Here is the error we get when we try to authenticate directly to FR:

[0m[33m15:15:28,855 WARN [org.keycloak.events] (default task-14)
type=LOGIN_ERROR, realmId=applications, clientId=netech, userId=null, ipAddress=10.243.81.129, error=invalid_user_credentials, auth_method=openid-connect,
auth_type=code, response_type=code, redirect_uri=https://fastcheckweb.coding.sum.apps.paas.testfactory.copergmps/fastcheckweb/sso/login,
code_id=bd281a1d-c8fc-43c9-b136-49d6b4fe51b8, response_mode=query, authSessionParentId=bd281a1d-c8fc-43c9-b136-49d6b4fe51b8, authSessionTabId=D7ripBfeGhc
[0m[33m15:17:19,221 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-14)
REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie, null]
[0m[33m15:17:19,222 WARN [org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator] (default task-14) Provider not found or not enabled for realm Login_MPS
[0m[33m15:17:19,222 WARN [org.keycloak.services] (default task-14) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException
at org.keycloak.keycloak-services@15.0.2//org.keycloak.authentication.authenticationprocessor.authenticateonly(authenticationprocessor.java:993)
at org.keycloak.keycloak-services@15.0.2//org.keycloak.authentication.authenticationprocessor.authenticate(authenticationprocessor.java:852)
at org.keycloak.keycloak-services@15.0.2//org.keycloak.protocol.authorizationendpointbase.handlebrowserauthenticationrequest(authorizationendpointbase.java:151)
at org.keycloak.keycloak-services@15.0.2//org.keycloak.protocol.oidc.endpoints.authorizationendpoint.buildauthorizationcodeauthorizationresponse(authorizationendpoint.java:300)
at org.keycloak.keycloak-services@15.0.2//org.keycloak.protocol.oidc.endpoints.authorizationendpoi

Any idea?
thank everyone

benny4874 · February 6, 2023, 2:11pm

Thanks all,
problem was solved, our customer had configured the authentication flow using the description instead of alias for External IDP

Topic		Replies	Views
Logging interaction with external IDP Configuring the server authentication , identity-brokering	0	377	February 6, 2023
External IdP + keycloak OTP Getting advice	1	2022	August 10, 2022
"unkown flow provider type" with multiple IDPs on a broker setup Getting advice identity-brokering , saml	4	247	March 28, 2024
Avoid session/cookie based authentication for external IDP Authentication Flow Configuring the server	0	538	July 15, 2020
First Broker Login Flow not working Keycloak v 14.0.0 Getting advice	0	2124	September 29, 2021

KC-SERVICES0013 error when using Forgerockas external IDP

Related topics