Error 69: "Unable to Sign In" Occurs After Configured OpenID Connect with Keycloak

Published: 25 Aug 2022
Last Modified Date: 25 Aug 2022


Error 69: "Unable to Sign In" Occurs After Configured OpenID Connect with Keycloak.

After enabling enhanced OpenID logging, the following error can be found in vizportal log:

DEBUG com.tableausoftware.domain.user.openid.OpenIDConnectHelper - Received idp auth code, starting back-channel request to exchange it for an access token.
DEBUG com.tableausoftware.domain.user.openid.OpenIDConnectHelper - Exchanging authentication code for access token.
DEBUG com.tableausoftware.domain.user.openid.OpenIDConnectHelper - Parsing response.
WARN  com.tableausoftware.api.webclient.WebClientGetAuthenticationController - WebClientGetAuthenticationController failed during OpenID login attempt
com.tableausoftware.domain.exceptions.AuthenticationException: Parameter client_assertion_type is missing HTTPResponse: {"error_description":"Parameter client_assertion_type is missing","error":"invalid_client"} (errorCode=69)




  • Tableau Server
  • OpenID Connect
  • KeyCloak


Option 1:
Make sure the Client authentication in Keycloak is set to "client ID and secret". For more information, please refer to the third-party links below
2.1.14. Client authentication *
By default, there are three ways to authenticate the client: client ID and client secret, client authentication with signed JWT, or client authentication with signed JWT using client secret.

Option 2:
Make sure the vizportal.openid.client_authentication parameter is set to "client_secret_basic" (the Tableau default). For more information, please refer to Error 69: "Unable to Sign In".
  • tsm configuration set -k vizportal.openid.client_authentication -v client_secret_basic
  • tsm pending-changes apply

*Although we make every effort to ensure links to external websites are accurate, up to date, and relevant, Tableau cannot take responsibility for the accuracy or freshness of pages maintained by external providers. Contact the external site for answers to questions regarding its content.


Tableau Server does not currently support a signed Json Web Token instead of a secret.
Did this article resolve the issue?