Typebot Account Model Field Mismatch with Keycloak Token Response

[Moreira4568]

Describe the bug

Typebot’s integration with Keycloak fails because the fields expected by the Typebot Account model do not fully match the standard OAuth/OpenID Connect token response provided by Keycloak.

Specifically, Typebot expects an expires_at field (representing an absolute timestamp) and a refresh_token_expires_in field, whereas Keycloak returns expires_in (a duration in seconds) and refresh_expires_in.

In addition, the presence of unrecognized fields (such as not-before-policy) completely blocks the login process, forcing developers to implement custom transformations to achieve compatibility.

---

To Reproduce
Steps to reproduce the behavior:

1. Integrate Typebot authentication using Keycloak as the OpenID Connect provider.
2. Notice the mismatched fields:
   • Typebot expects expires_at, but Keycloak returns expires_in (duration in seconds).
   • Typebot expects refresh_token_expires_in, but Keycloak returns refresh_expires_in.
   • Extra fields, such as not-before-policy, are present in the token response.
3. The login process fails, blocking authentication entirely.

---

Expected behavior
It is expected that:

• Typebot accepts Keycloak’s standard token response by allowing the use of expires_in (duration in seconds) instead of requiring an absolute epoch time for expires_at.
• The refresh_expires_in field from Keycloak is mapped to the expected refresh_token_expires_in field in Typebot.
• The oauth_token_secret and oauth_token fields are clarified as optional or can be omitted when integrating with Keycloak.
• The system gracefully handles extra or unexpected fields in the token response without blocking the login process, thereby reducing integration complexity and improving the user experience.

---

Code Snippets & Models

1. Typebot Model (Prisma Schema)

// schema.prisma
model Account {
  id                       String  @id @default(cuid())
  userId                   String
  type                     String
  provider                 String
  providerAccountId        String
  refresh_token            String? @db.Text
  access_token             String? @db.Text
  expires_at               Int?
  token_type               String?
  scope                    String?
  id_token                 String? @db.Text
  session_state            String?
  oauth_token_secret       String?
  oauth_token              String?
  refresh_token_expires_in Int?
  user                     User    @relation(fields: [userId], references: [id], onDelete: Cascade)

  @@unique([provider, providerAccountId])
  @@index([userId])
}

2. Keycloak Token Response

public class AccessTokenResponse {
    @JsonProperty("access_token")
    protected String token;
    @JsonProperty("expires_in")
    protected long expiresIn;
    @JsonProperty("refresh_expires_in")
    protected long refreshExpiresIn;
    @JsonProperty("refresh_token")
    protected String refreshToken;
    @JsonProperty("token_type")
    protected String tokenType;
    @JsonProperty("id_token")
    protected String idToken;
    @JsonProperty("not-before-policy")
    protected int notBeforePolicy;
    @JsonProperty("session_state")
    protected String sessionState;
    protected Map<String, Object> otherClaims = new HashMap();
    @JsonProperty("scope")
    protected String scope;
    @JsonProperty("error")
    protected String error;
    @JsonProperty("error_description")
    protected String errorDescription;
    @JsonProperty("error_uri")
    protected String errorUri;
}

---

Tool Versions & Environment
For context, here are the versions used in the environment where the issue was identified:

• Typebot Builder: 3.5.0
• Keycloak Version: 26.0.6

---

[baptisteArno]

What is the error?? All the fields should be mapped correctly by Auth.js.

[Moreira4568]

The error is as follows:

Unknown argument `refresh_expires_in`. Available options are marked with ?.
    at Tn (/app/node_modules/@prisma/client/runtime/library.js:115:5888)
    at In.handleRequestError (/app/node_modules/@prisma/client/runtime/library.js:122:6510)
    at In.handleAndLogRequestError (/app/node_modules/@prisma/client/runtime/library.js:122:6188)
    at In.request (/app/node_modules/@prisma/client/runtime/library.js:122:5896)
    at async l (/app/node_modules/@prisma/client/runtime/library.js:127:11167) {
  name: 'LinkAccountError',
  code: undefined
}

This error occurs because Prisma doesn’t recognize the refresh_expires_in argument in the model. The refresh_token_expires_in field in Typebot’s schema doesn’t match the response from Keycloak, which uses refresh_expires_in.

[baptisteArno]

Any chance you can provide an access to your Keycloak instance so that I try to reproduce the issue on my machine? baptiste@typebot.io

[Moreira4568]

Hello! Instead of providing you with one of our preconfigured instances, I’d prefer to send a Docker Compose setup that reproduces the error. This way, you can confirm that I’m using the latest version of Typebot and a fairly recent version of Keycloak (26.0.6). I also noticed that the last version that worked properly was 3.4.2.

I’ll send a ZIP file to your email containing the Keycloak realm configuration, which is already mapped via a volume into the Keycloak container. The only changes you’ll need to make are:

• Update the IP address in the .env file (with your IPv4);
• Possibly adjust the WebOrigins and redirect settings in the Keycloak client.

The configured test user credentials are:

• Username: test-user
• Password: test

I’ll forward these files to the email address you mentioned shortly.

[baptisteArno]

Ok I have everything set up but I get "Invalid parameter: redirect_uri" when clicking on Continue with Keycloak. Probably due to WebOrigins and redirect settings. Can you tell me exactly where this is in Keycloak?

[Moreira4568]

First, select the correct realm in the left sidebar, in this case, typebot-realm. Then, once you’re in that realm, go to the Clients tab. You should see the typebot-client realm there (if not, make sure your list is set to show all clients).

Next, scroll down to Access Settings, where you’ll find the valid redirect URIs and the web origins. After updating them to your IPv4 address, simply save your changes. You won’t need to restart anything; you should be able to log in immediately.

If you still have any questions, feel free to reach out to me directly on Discord to make the process easier.

[baptisteArno]

Appreciate the reproduction 🙏. Will be fixed on next release!