Share via

Keycloak identity provider stopped working with Microsoft IDP

Péter Molnár 1 Reputation point
2022-07-22T19:25:30.297+00:00

I am using Keycloak to authenticate users into my webapp. I have configured Microsoft IDP as an external identity provider. This setup was working until early June when it stopped working.

Keycloak is sending an authorization code grant to the Microsoft endpoint. The scopes I'm setting on the authorization request are openid profile email to get the name and e-mail address of the user.

I am receiving an error response on the redirect URL, where the payload looks like this: 

{  
  "error": {  
    "code": "ErrorInsufficientPermissionsInAccessToken",  
    "message": "Exception of type 'Microsoft.Fast.Profile.Core.Exception.ProfileAccessDeniedException' was thrown.",  
    "innerError": {  
      "date": "2022-07-22T18:58:51",  
      "request-id": "3ae2cb3f-1f80-4987-a8f6-9fc8f83a6cf5",  
      "client-request-id": "3ae2cb3f-1f80-4987-a8f6-9fc8f83a6cf5"  
    }  
  }  
}

Does anybody know why this is happening?

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator
    2022-07-25T01:19:28.327+00:00

    Hello @Péter Molnár , please add the User.Read scope. If the problem persists get back with new debugging information (request-id and date).

    Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.