What's Actually Happening

Keycloak client authentication fails. Applications cannot obtain tokens or authenticate users.

The Error You'll See

json
{
  "error": "invalid_client",
  "error_description": "Invalid client credentials"
}

Why This Happens

  1. 1.Wrong client secret
  2. 2.Client disabled
  3. 3.Redirect URI mismatch
  4. 4.Wrong grant type
  5. 5.Client not found

Step 1: Check Client Exists

bash
# In Keycloak Admin Console:
# Clients > my-client

Step 2: Verify Client Secret

bash
# Clients > my-client > Credentials
# Regenerate secret if needed

Step 3: Check Redirect URIs

bash
# Clients > my-client > Valid Redirect URIs
# Must match exactly: https://myapp.com/*

Step 4: Check Grant Types

bash
# Clients > my-client > Advanced > Grant Types
# Enable required grant types

Step 5: Test Token Endpoint

bash
curl -X POST http://keycloak:8080/realms/myrealm/protocol/openid-connect/token \
  -d "client_id=my-client" \
  -d "client_secret=mysecret" \
  -d "grant_type=client_credentials"

Step 6: Check Client Status

bash
# Clients > my-client > Settings
# Ensure Enabled = ON

Step 7: Check Logs

bash
docker logs keycloak
tail -f /opt/keycloak/data/log/keycloak.log

Step 8: Verify Realm

bash
# Check correct realm in URL
# /realms/myrealm/...

Step 9: Check Access Type

bash
# Clients > my-client > Settings
# Access Type: confidential for server-side apps
# Access Type: public for SPAs

Step 10: Review Client Scopes

bash
# Clients > my-client > Client Scopes
# Ensure required scopes are assigned
  • [Fix Keycloak User Login Failed](/articles/fix-keycloak-user-login-failed)
  • [Fix Vault Token Renewal Failed](/articles/fix-vault-token-renewal-failed)