From f66354a80e76712ec58960e8f7de3a98924dcd78 Mon Sep 17 00:00:00 2001
From: Benjamin Weimer <external.Benjamin.Weimer@bosch-si.com>
Date: Thu, 28 Jan 2021 08:54:19 +0100
Subject: [PATCH] KEYCLOAK-16947 add error parameters to access token response
 & improve logging

---
 .../representations/AccessTokenResponse.java  | 33 +++++++++++++++++++
 .../broker/oidc/OIDCIdentityProvider.java     |  4 ++-
 .../servlet/LinkAndExchangeServlet.java       |  2 +-
 3 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/core/src/main/java/org/keycloak/representations/AccessTokenResponse.java b/core/src/main/java/org/keycloak/representations/AccessTokenResponse.java
index 5b791e19e3..b3e7020d28 100755
--- a/core/src/main/java/org/keycloak/representations/AccessTokenResponse.java
+++ b/core/src/main/java/org/keycloak/representations/AccessTokenResponse.java
@@ -61,6 +61,15 @@ public class AccessTokenResponse {
     @JsonProperty("scope")
     protected String scope;
 
+    @JsonProperty("error")
+    protected String error;
+
+    @JsonProperty("error_description")
+    protected String errorDescription;
+
+    @JsonProperty("error_uri")
+    protected String errorUri;
+
     public String getScope() {
         return scope;
     }
@@ -143,4 +152,28 @@ public class AccessTokenResponse {
         otherClaims.put(name, value);
     }
 
+    public String getError() {
+        return error;
+    }
+
+    public void setError(String error) {
+        this.error = error;
+    }
+
+    public String getErrorDescription() {
+        return errorDescription;
+    }
+
+    public void setErrorDescription(String errorDescription) {
+        this.errorDescription = errorDescription;
+    }
+
+    public String getErrorUri() {
+        return errorUri;
+    }
+
+    public void setErrorUri(String errorUri) {
+        this.errorUri = errorUri;
+    }
+
 }
diff --git a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
index 2413db83c1..7d781807ec 100755
--- a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
@@ -518,7 +518,9 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
         String accessToken = tokenResponse.getToken();
 
         if (accessToken == null) {
-            throw new IdentityBrokerException("No access_token from server.");
+            throw new IdentityBrokerException("No access_token from server. error='" + tokenResponse.getError() +
+                    "', error_description='" + tokenResponse.getErrorDescription() +
+                    "', error_uri='" + tokenResponse.getErrorUri() + "'");
         }
         return accessToken;
     }
diff --git a/testsuite/integration-arquillian/test-apps/servlets/src/main/java/org/keycloak/testsuite/adapter/servlet/LinkAndExchangeServlet.java b/testsuite/integration-arquillian/test-apps/servlets/src/main/java/org/keycloak/testsuite/adapter/servlet/LinkAndExchangeServlet.java
index cb27e13589..00a17e64cb 100644
--- a/testsuite/integration-arquillian/test-apps/servlets/src/main/java/org/keycloak/testsuite/adapter/servlet/LinkAndExchangeServlet.java
+++ b/testsuite/integration-arquillian/test-apps/servlets/src/main/java/org/keycloak/testsuite/adapter/servlet/LinkAndExchangeServlet.java
@@ -118,7 +118,7 @@ public class LinkAndExchangeServlet extends HttpServlet {
             String linkUrl = null;
             try {
                 AccessTokenResponse response = doTokenExchange(realm, tokenString, provider,  clientId, "password");
-                String error = (String)response.getOtherClaims().get("error");
+                String error = response.getError();
                 if (error != null) {
                     System.out.println("*** error : " + error);
                     System.out.println("*** link-url: " + response.getOtherClaims().get("account-link-url"));