Camunda Identity - seeing error in key cloak - Code not valid

Raghavendra_Chari · March 3, 2025, 6:51pm

Hi there,

I am experimenting on self managed - release 8.7.0-alpha4

After running helm install command, I am trying login to console, identity, operate etc.

I am getting an error particularly when I try to sign in to /identity.

The browser shows 502 error with the below URL.

https://c86-mini-white.makelabs.in/identity/auth/login-callback?state=&session_state=133230ea-1d27-4f14-804e-0c7de4160abb&iss=https%3A%2F%2Fc86-mini-white.makelabs.in%2Fauth%2Frealms%2Fcamunda-platform&code=2e26257c-a882-4b0a-9010-9db0744ee5f2.133230ea-1d27-4f14-804e-0c7de4160abb.61c8753f-a6d6-414c-9b96-e288f3bb5c86

I picked up the “session_state” value and check the key cloak container logs. I see below three lines there.

session_state=133230ea-1d27-4f14-804e-0c7de4160abb

Keycloak logs:
2025-03-03 17:50:50,744 WARN [org.keycloak.protocol.oidc.utils.OAuth2CodeParser] (executor-thread-42) Code ‘2e26257c-a882-4b0a-9010-9db0744ee5f2’ already used for userSession ‘133230ea-1d27-4f14-804e-0c7de4160abb’ and client ‘61c8753f-a6d6-414c-9b96-e288f3bb5c86’.
2025-03-03 17:50:50,745 WARN [org.keycloak.events] (executor-thread-42) type=“CODE_TO_TOKEN_ERROR”, realmId=“camunda-platform”, realmName=“camunda-platform”, clientId=“camunda-identity”, userId=“null”, sessionId=“133230ea-1d27-4f14-804e-0c7de4160abb”, ipAddress=“172.71.144.12”, error=“invalid_code”, grant_type=“authorization_code”, code_id=“133230ea-1d27-4f14-804e-0c7de4160abb”, client_auth_method=“client-secret”
2025-03-03 17:51:54,249 WARN [org.keycloak.events] (executor-thread-42) type=“CODE_TO_TOKEN_ERROR”, realmId=“camunda-platform”, realmName=“camunda-platform”, clientId=“camunda-identity”, userId=“null”, ipAddress=“172.69.151.226”, error=“invalid_client_credentials”, grant_type=“authorization_code”

Identity container logs:
Unexpected error
io.camunda.identity.sdk.impl.rest.exception.RestException: request failed with status code ‘400’ and body ‘{“error”:“invalid_grant”,“error_description”:“Code not valid”}’
at io.camunda.identity.sdk.impl.rest.RestClient.send(RestClient.java:124) ~[identity-sdk-8.6.0-SNAPSHOT.jar!/:8.6.0-SNAPSHOT]
at io.camunda.identity.sdk.impl.rest.RestClient.request(RestClient.java:106) ~[identity-sdk-8.6.0-SNAPSHOT.jar!/:8.6.0-SNAPSHOT]
at io.camunda.identity.sdk.impl.keycloak.KeycloakAuthentication.exchangeAuthCode(KeycloakAuthentication.java:78) ~[identity-sdk-8.6.0-SNAPSHOT.jar!/:8.6.0-SNAPSHOT]
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
at java.base/java.lang.reflect.Method.invoke(Unknown Source) ~[?:?]
at io.camunda.identity.sdk.annotation.AnnotationProcessor.lambda$apply$0(AnnotationProcessor.java:33) ~[identity-sdk-8.6.0-SNAPSHOT.jar!/:8.6.0-SNAPSHOT]
at jdk.proxy2/jdk.proxy2.$Proxy183.exchangeAuthCode(Unknown Source) ~[?:?]
at io.camunda.identity.frontend.service.AuthService.exchangeAuthCode(AuthService.java:51) ~[!/:?]
at io.camunda.identity.frontend.controller.AuthController.loginCallback(AuthController.java:66) ~[!/:?]
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]

Any assistance what could be causing this error?

I am able to sign in to other apps - console, operate, task list.
I am also able to deploy bpmn and dmn artefacts; able to run them well. I have an inbound web hook that seem to run just fine.
Just that I am not able to sign in to Identity.

The values yaml file is here:

values-c86-mini-white.yaml (7.3 KB)

Thanks in advance.

nathan.loding · March 5, 2025, 8:08pm

Hi @Raghavendra_Chari - doing a search for “keycloak code already used for usersession” and I don’t think this is related to Camunda, just a race condition in Keycloak perhaps? But it is strange that other apps work.

Is it still occurring? If it is, try to delete the user session in Keycloak and try to log in again. Does the error persist after that?

Raghavendra_Chari · March 8, 2025, 3:06pm

Hi @nathan.loding - Thanks for your reply.

I recreated the environment to see if it was a one time ad hoc issue. But that is not the case - I am seeing the error with signing in to Identity web app. The same error is visible in the key cloak logs.

I tried deleting the user session and testing from Chrome / Edge browsers - but same issue.

As you indicated, this could be a race condition in Keycloak - and it seem to happen with identity only. Is there any possible way to circumvent this? Say, restarting the key cloak container or identity container or both? I’ll try to see if this helps.

nathan.loding · March 10, 2025, 6:59pm

@Raghavendra_Chari - I’ve shared this error internally and will see if anyone has any thoughts!