Keycloak identity provider stopped working with Microsoft IDP

Péter Molnár 1 Reputation point
2022-07-22T19:25:30.297+00:00

I am using Keycloak to authenticate users into my webapp. I have configured Microsoft IDP as an external identity provider. This setup was working until early June when it stopped working.

Keycloak is sending an authorization code grant to the Microsoft endpoint. The scopes I'm setting on the authorization request are openid profile email to get the name and e-mail address of the user.

I am receiving an error response on the redirect URL, where the payload looks like this:

{  
  "error": {  
    "code": "ErrorInsufficientPermissionsInAccessToken",  
    "message": "Exception of type 'Microsoft.Fast.Profile.Core.Exception.ProfileAccessDeniedException' was thrown.",  
    "innerError": {  
      "date": "2022-07-22T18:58:51",  
      "request-id": "3ae2cb3f-1f80-4987-a8f6-9fc8f83a6cf5",  
      "client-request-id": "3ae2cb3f-1f80-4987-a8f6-9fc8f83a6cf5"  
    }  
  }  
}  

Does anybody know why this is happening?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,127 questions
{count} votes

1 answer

Sort by: Most helpful
  1. 2022-07-25T01:19:28.327+00:00

    Hello @Péter Molnár , please add the User.Read scope. If the problem persists get back with new debugging information (request-id and date).

    Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.