function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
GarrettzGarrettz 

openId Connect bad response

I have seen a few posts here and there regarding this, but none appear to have a solution for me.

I am attempting to implement keycloak as our authentication provider in our organization wide Salesforce environment. I have an authentication provider setup in Salesforce and a client established in the authentication provider. I open my browser and load the test endpoint from the Salesforce authentication provider setup screen. This redirects me to the auth provider to login. Upon successful login, I get a response from the authentication provider with my state and code. The next endpoint loaded is the error URL from the auth provider configuration within Salesforce with three parameters:
* ErrorCode=No_Openid_Response
* ErrorDescription=Bad+response
* ProviderId={{The ID of the Auth config in SF}}

Everything I'm seeing about the auth response looks correct; I have tried to decode the message to see if there is anything malformed but I haven't been successful in decoding.

I've seen other posts confirming their issue is a self-signed certificate. I've verified the certificate authority on the auth provider is a 'allowed' authority.

The issue appears to be Salesforce rejecting the auth response, but I'm not sure how to debug this let alone solve this.
Hanif.BabarHanif.Babar
Can you please share the screen shot of authentication provider you have configured in your org (Do not forget to hide consumer key and  consumer secert before uploading it :)).
GarrettzGarrettz
User-added image
* Consumer Key and Secret removed 
Hanif.BabarHanif.Babar
Ganettz, Have get this default scope (openid email profile) from "keyclock" API authorization document? What is the callback url you have entered at “keyclock” end?
GarrettzGarrettz
I originally had default scope empty, however after watching some Salesforce videos walking through the configuration they mentioned it should always have those three at a minimum. I have the authentication provdier configured to have scope defined as 'full' for the time being.

callback url: https://test.salesforce.com/services/authcallback/00D29000000DXnCEAW/MBO_Keycloak_Dev

Which is what's being sent back:
https://test.salesforce.com/services/authcallback/00D29000000DXnCEAW/MBO_Keycloak_Dev?state={{Redacted}}&code={{Redacted}}
GarrettzGarrettz
mhb - I believe I've found the issue. In my Auth Provider's configuration, I included a mapping of a universal ID. It seems the XML printed out from the test URL did not like it for some reason. When I removed that mapping, the xml loaded as expected. Not sure how to resolve that as I need that ID to lookup/match to a Salesforce user.