POST to /oauth2/token responds error 400 "This endpoint is not supposed to be called by authenticated users"
Affected version
Version: 2.16.2
Summary
We are trying to connect to LLNG using oauth2 API, from a vuejs application using a keaycloak-js library.
With standard flow we receive a 302 from GET /oauth2/authorize, then the library try to POST to /oauth2/token to retrieve the access_token but we receive 400 Bad Request
{"error_description":"This endpoint is not supposed to be called by authenticated users","error":"invalid_request"}
With hybrid flow, LLNG return the access_token in the location header (location: https://xx/portail/#access_token=xxxxxx
) so we can authenticate the application, but the library try to POST to /oauth2/token to retrieve the refresh_token and we receive also the 400 Bad Request. So every 10 seconds the application is reloading.
POST /oauth2/token HTTP/2
Host: xxxxxxxxxxxx
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: */*
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-type: application/x-www-form-urlencoded
Content-Length: 304
Origin: https://xxxxxxxxxxxx
Connection: keep-alive
Referer: https://xxxxxxxxxxxx/
Cookie: lemonldap=xxxxxxxxxxxxxxxxxxx
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Sec-GPC: 1
Pragma: no-cache
Cache-Control: no-cache
TE: trailers
code=xxxx&grant_type=authorization_code&client_id=rp-pristyfront&redirect_uri=https%3A%2F%2Fxxxxxx%2Fportail%2F&code_verifier=xxxxxx
Logs
We are not seeing specific error in logs.