Getting error "Failed to contact token endpoint" during login

[danielr1996]

When clicking the "login with sso provider" button I get redirected to keycloak and can login, however back at vaultwarden I get the error: Failed to contact token endpoint: ServerResponse(StandardErrorResponse { error: unknown_error, error_description: Some("For more on this error consult the server log at the debug level."), error_uri: None }).

Here's the log

[start][INFO] Rocket has launched from http://0.0.0.0:80
[request][INFO] GET /identity/sso/prevalidate?domainHint=VaultWarden
[response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK
[request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt
[reqwest::connect][DEBUG] starting new connection: https://sso.danielrichter.codes/
[reqwest::connect][DEBUG] starting new connection: https://sso.danielrichter.codes/
[response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect
[request][INFO] GET /identity/connect/oidc-signin?state=HGzoKsfLBNWnBLf8q9nsnAG4
[vaultwarden::api::identity][DEBUG] Redirection to http://localhost/sso-connector.html?code=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJleHAiOjE3MjA2OTYyMTcsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3R8c3NvIiwiY29kZSI6eyJPayI6eyJjb2RlIjoiOWNkY2M4NTctMTgyZi00YWQ0LWIxOTAtZWUzYWNmNTFkZjI1LmNmYjdkNGI3LTdjNWItNGI5NC04ZjFiLTM0YWRmYzQyMzA1ZC4wZWQ2ZjVjMi1hZWU4LTQyYTktOTZiZC03ZWRkNDMwYWRlMzMiLCJzdGF0ZSI6IkhHem9Lc2ZMQk5XbkJMZjhxOW5zbkFHNHh2a2lkYW5rajVMNENtTWN0RGZFd2NIVkZRRHRyTVZ4c0NFTFU0TFJfaWRlbnRpZmllcj11bmRlZmluZWQifX19.rLhuUKoG7eIAk2kpR31cuBkplR4jRgmi-jM3FtZw4M7-WLgaE5GtCCfHiYLb9voXG6qXczlzuT-myIOXyKR8B-kn_BIaKsxpw9W6wEZau9PWwHj_CAnmpEVy2HHt9PzxbRJqlpIZjT2n5f50Ll9wC3KCwQ94xL75n6WJfr1fTKRuvAfF7qXweWjT7GxxeJepSUUBw3J5JANYuCMhWjqX3naDCp-a3ifIpHctG-DoKjWXF_yFUEereLKNt7-v6APe9fet2ulrv-gegzu6-g0WnZKAt6UxBv653JX6_nRgCy9d1Q1ZSVQ-YPEa47vWmDdAMGqei9i2qU6m-vuw0f6fXw&state=HGzoKsfLBNWnBLf8q9nsnAG4xvkidankj5L4CmMctDfEwcHVFQDtrMVxsCELU4LR_identifier%3Dundefined&scope=api+offline_access&iss=http%3A%2F%2Flocalhost
[response][INFO] (oidcsignin) GET /identity/connect/oidc-signin?<code>&<state> => 307 Temporary Redirect
[request][INFO] GET /sso-connector.html?code=eyJ0eXAiOiJKV1QiLCJhbGciO
[response][INFO] (web_files) GET /<p..> [10] => 200 OK
[request][INFO] GET /?code=eyJ0eXAiOiJKV1QiLCJhbGciO
[response][INFO] (web_index) GET / => 200 OK
[request][INFO] GET /locales/en/messages.json?cache=w6e14
[response][INFO] (web_files) GET /<p..> [10] => 200 OK
[rocket::server::_][WARN] Remote left: client disconnect before response started.
[request][INFO] GET /images/favicon-32x32.png
[response][INFO] (web_files) GET /<p..> [10] => 200 OK
[request][INFO] POST /identity/connect/token
[reqwest::connect][DEBUG] starting new connection: https://sso.danielrichter.codes/
[reqwest::connect][DEBUG] starting new connection: https://sso.danielrichter.codes/
[reqwest::connect][DEBUG] starting new connection: https://sso.danielrichter.codes/
[vaultwarden::sso][ERROR] Failed to contact token endpoint: ServerResponse(StandardErrorResponse { error: unknown_error, error_description: Some("For more on this error consult the server log at the debug level."), error_uri: None })
[response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[vaultwarden::api::core::accounts][DEBUG] Purging auth requests
[vaultwarden::api::core::two_factor][DEBUG] Sending notifications for incomplete 2FA logins```

I noticed three lines that might be of special interest

What is the domain hint? should this be the real domain of either the oidc endpoint or the vaultwarden instance

[request][INFO] GET /identity/sso/prevalidate?domainHint=VaultWarden

# is the redirect uri truncated or is this really just "htt"

[request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt

# this is an empty jwt, shouldn't there be any data inside?

[request][INFO] GET /sso-connector.html?code=eyJ0eXAiOiJKV1QiLCJhbGciO

# 
´´´
http://localhost/sso-connector.html
code=ey....Xw (encoded below)
&state=HGzoKsfLBNWnBLf8q9nsnAG4xvkidankj5L4CmMctDfEwcHVFQDtrMVxsCELU4LR_identifier%3Dundefined # probably shouldn't be undefined
&scope=api+offline_access
&iss=http%3A%2F%2Flocalhost
code= parameter decoded:
{
  "exp": 1720696217,
  "iss": "http://localhost|sso",
  "code": {
    "Ok": {
      "code": "9cdcc857-182f-4ad4-b190-ee3acf51df25.cfb7d4b7-7c5b-4b94-8f1b-34adfc42305d.0ed6f5c2-aee8-42a9-96bd-7edd430ade33",
      "state": "HGzoKsfLBNWnBLf8q9nsnAG4xvkidankj5L4CmMctDfEwcHVFQDtrMVxsCELU4LR_identifier=undefined"
    }
  }
}
´´´

What also confused me is the fact that all the oidc calls seem to go to an internal endpoint at `identity/connect/authorize` instead of my keycloak endpoint at `/protocol/openid-connect/auth`, is this intended? are there two oidc servers involved? 

[danielr1996]

After testing a few of these endpoints with curl I noticed that I also get the error Error: unknown_error, Description: For more on this error consult the server log at the debug level. directly from keycloak, so this seems to a problem on my side.

[danielr1996]

I got It working now, my keycloak was misconfigured, I needed to set the access type to public instead of confidential.

[Timshel]

To answer some of your questions:

What is the domain hint?

It's a Bitwarden parameter that is unused. During the normal flow you should not see it (a dummy value is set after you input your email).

What also confused me is the fact that all the oidc calls seem to go to an internal endpoint identity/connect/authorize

You are redirected to identity/connect/authorize which then redirect to the correct url depending on the client (web, mobile or desktop). There is no additional oidc server, but the tokens sent by Key cloak are wrapped in another JWT to be able to carry more information.