How to break infinite redirect loop on Keycloak Authorization Code Flow error (before token exchange)?
Carlos Eduardo de Melo Rodovalho
Hi all,
I'm using Keycloak with the Authorization Code Flow in my PHP application. The flow works like this:
- User authenticates on Keycloak.
- Keycloak redirects to my app with only the code parameter.
- My app exchanges the code for tokens (access_token, id_token, etc.) using the Keycloak token endpoint.
The problem:
If an error occurs after I get the tokens, I can use id_token_hint to log the user out of Keycloak and redirect them to the login page, which works fine.
But if an error occurs during the code exchange (i.e., after receiving the code but before getting any tokens), I don't have the id_token, so I can't log the user out of Keycloak. If I simply redirect the user back to the Keycloak login page, Keycloak detects the active session and immediately redirects back to my app with a new code, causing an infinite redirect loop.
Question:
What is the proper way to handle errors that happen after receiving the authorization code, but before obtaining the tokens, so I can break this loop and allow the user to try authenticating again?
Any best practices or recommended approaches for this scenario?
Francisco Moura
--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/6d9137d3-af44-4a53-a66e-a9afae7b9cfbn%40googlegroups.com.