Share via

Azure B2C - Keycloak OIDC Integration Fails with "No access_token from server" during Brokered Login

Kevin Dule 65 Reputation points
2025-06-03T14:16:09.6533333+00:00

Hello,

I am integrating Keycloak v25.0.6 with Azure AD B2C using the OpenID Connect broker. The flow works up to the point where Azure B2C returns the authorization code, but then Keycloak fails with the following error:

Failed to make identity provider oauth callback: 
org.keycloak.broker.provider.IdentityBrokerException: No access_token from server. 
error='null', error_description='null', error_uri='null'

Keycloak log:

type="IDENTITY_PROVIDER_LOGIN_ERROR", error="identity_provider_login_failure", userId="null"

My setup:

In Azure B2C:

Created an app registration with redirect URI pointing to Keycloak.

  Platform type is **Web**, with **PKCE** disabled (tried enabled too).
  
     Client authentication method is **client_secret_basic**.
     
        Token endpoint: `https://<tenant>.b2clogin.com/<tenant>.onmicrosoft.com/<policy>/oauth2/v2.0/token`
        
           JWKS URL resolves correctly.
           
           In Keycloak:
           
              OpenID Connect Identity Provider configured with:
              
                    `Authorization URL` and `Token URL` from B2C
                    
                          `Client Authentication` set to `client_secret_basic`
                          
                                Client ID and Client Secret from B2C app registration
                                
                                      PKCE enabled and disabled (tested both)
                                      
                                         `Client ID` and `Client Secret` match Azure B2C
                                         
                                            Logs confirm Azure returns a `code`, but no `access_token` is retrieved
                                            
                                            Manual `curl` call with the returned `code` works and returns an ID token and access token correctly.

Question:

What could cause Azure B2C to return a valid code, but not return an access_token when Keycloak exchanges the token? Is there a specific setting in B2C (policy, claims, response types, etc.) or in Keycloak's client authentication that needs adjustment?

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-06-12T17:15:47.2666667+00:00

    Hi @Kevin Dule,I appreciate your effort in resolving the issue. I am posting your solution here which helps other community members in future.

    Resolved Issue: by @Kevin Dule,

    To enable successful authentication using Azure AD as an identity provider in Keycloak, the following changes were made:

    Scopes Configuration: In the Keycloak identity provider settings, the input for Scopes was updated to include openid email profile to ensure the ID token contains the necessary user claims.

    Client ID Inclusion: Additionally, the Azure AD Application (Client) ID was appended to the scope input field in Keycloak (e.g., openid email profile <client-id>), as required by Azure AD for certain resource access scenarios.

    These changes allowed Keycloak to correctly receive user information from Azure AD during the authentication flow.

    Kindly click on "Accept Answer" and "upvote it" which will be displayed as an answer the thread resolved by you.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.