Exchanging authorization tokens failed with Keycloak IdP

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Problem

When having Jira configured for OIDC with Keycloak IdP, authentication fails with the following error in the atlassian-jira.log:

1 2 3 4 5 6 Exchanging authorization tokens failed. Error: {"error_description":"Unexpected error when authenticating client: null","error":"unauthorized_client"} com.atlassian.plugins.authentication.impl.web.usercontext.AuthenticationFailedException: Exchanging authorization tokens failed. Error: {"error_description":"Unexpected error when authenticating client: null","error":"unauthorized_client"} at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.toException(OidcConsumerServlet.java:267) at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.exchangeAuthorizationCodeForTokens(OidcConsumerServlet.java:204) at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.getOidcTokens(OidcConsumerServlet.java:163) at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.doGet(OidcConsumerServlet.java:118)

Diagnosis

Environment

  • The instance is running on JIRA 8.15 or newer.

  • The authentication method is configured using OIDC, integrated with Keycloak IdP

Cause

When configuring the Client on Keycloak, the admin put "/" in Client ID, for example, https://jira.internal.com

Solution

Resolution

Change the Client Id in both Jira and Keycloak to only have alphanumeric characters. Use something like JiraApp or JiraOIDC.

Updated on April 2, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community