KEYCLOAK-16947 add error parameters to access token response & improve logging

core/src/main/java/org/keycloak/representations/AccessTokenResponse.java

@@ -61,6 +61,15 @@ public class AccessTokenResponse {
     @JsonProperty("scope")
     protected String scope;
 
+    @JsonProperty("error")
+    protected String error;
+
+    @JsonProperty("error_description")
+    protected String errorDescription;
+
+    @JsonProperty("error_uri")
+    protected String errorUri;
+
     public String getScope() {
         return scope;
     }
@@ -143,4 +152,28 @@ public class AccessTokenResponse {
         otherClaims.put(name, value);
     }
 
+    public String getError() {
+        return error;
+    }
+
+    public void setError(String error) {
+        this.error = error;
+    }
+
+    public String getErrorDescription() {
+        return errorDescription;
+    }
+
+    public void setErrorDescription(String errorDescription) {
+        this.errorDescription = errorDescription;
+    }
+
+    public String getErrorUri() {
+        return errorUri;
+    }
+
+    public void setErrorUri(String errorUri) {
+        this.errorUri = errorUri;
+    }
+
 }

services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java

@@ -518,7 +518,9 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
         String accessToken = tokenResponse.getToken();
 
         if (accessToken == null) {
-            throw new IdentityBrokerException("No access_token from server.");
+            throw new IdentityBrokerException("No access_token from server. error='" + tokenResponse.getError() +
+                    "', error_description='" + tokenResponse.getErrorDescription() +
+                    "', error_uri='" + tokenResponse.getErrorUri() + "'");
         }
         return accessToken;
     }

testsuite/integration-arquillian/test-apps/servlets/src/main/java/org/keycloak/testsuite/adapter/servlet/LinkAndExchangeServlet.java

@@ -118,7 +118,7 @@ public class LinkAndExchangeServlet extends HttpServlet {
             String linkUrl = null;
             try {
                 AccessTokenResponse response = doTokenExchange(realm, tokenString, provider,  clientId, "password");
-                String error = (String)response.getOtherClaims().get("error");
+                String error = response.getError();
                 if (error != null) {
                     System.out.println("*** error : " + error);
                     System.out.println("*** link-url: " + response.getOtherClaims().get("account-link-url"));