[keycloak-user] Programatic username/password access with KeyCloak using external IDP brokering
Yuriy Yunikov
yuriy.yunikov at verygood.systems
Mon Dec 4 13:22:00 EST 2017
Hello,
We're using Identity Brokering feature and we use external IDP. So, user
logs in into external IDP UI, then KeyCloak broker client receives JWT
token from external IDP and KeyCloak provides JWT with which we access our
resources. We've set up "Default Identitiy Provider" feature, so external
IDP login screen is displayed to the user on login. That means that users
and their passwords are stored on external IDP.
The problem occurs when we need to log in using "Direct Access Grant"
(Resource Owner Password grant) programatically in our tests. As password
is not stored on KeyCloak, we always get 401 Unauthorized error from
KeyCloak on login. When I tried to change user password it started to work,
so the problem is that user password is not provisioned on KeyCloak and
using "Direct Access Grant" KeyCloak doesn't invoke external IDP.
Is there any way it can be fixed? For example to call identity broker on
"Direct Access Grant", so that KeyCloak provides us it's valid token?
Regards,
Yuriy
More information about the keycloak-user
mailing list