[keycloak-user] Can't invoke Keycloaks OpenID Connect token endpoint with grant type set to password

Виталий Ищенко betalb at gmail.com
Fri Dec 22 07:27:41 EST 2017 

Hello

I've missed one important thing in your first question: you've created
client in demo-realm, but trying to get token in master realm

./keycloak/bin/kcadm.sh get clients/f3c2109d-9eb0-4fb3-b6be-32a52a691d42 -r
*demo-realm*

http://localhost:18080/auth/realms/*master*/protocol/openid-connect/token

Also, I've mentioned that after you recreated client, direct
grant (grant_type=password) was disabled (directAccessGrantsEnabled:
false), in your previous version of client, it was enabled.

On Fri, Dec 22, 2017 at 2:49 PM Nicolas DUMINIL <
nicolas.duminil at simplex-software.fr> wrote:

> Hi,
>
>
>
> Thanks for taking the time to reply to my post. I'm not sure why should I
> pass the client secret in the curl request. The tutorial I'm following
> doesn't do that. But anyway, the following command:
>
>
>
>
>
> curl --data "grant_type=password&client_id=curl&username=customer-manager-user&password=toto&client-secret=f512e240-6cc0-4bd3-9d01-eb167b8e69e7"
> http://localhost:18080/auth/realms/master/protocol/openid-connect/token
>
>
>
> raises the same exception:
>
>
>
>
> {"error":"unauthorized_client","error_description":"UNKNOWN_CLIENT: Client was not identified by any client authenticator"}
>
>
>
> Whatever I do, the result is the same. Here below I'm pasting again is the
> curl client that I have recreated:
>
>
>
> {
>   "id" : "ef4783a4-dc2f-49a8-8c4f-17521ce33240",
>
>
>   "clientId" : "curl",
>   "surrogateAuthRequired" : false,
>   "enabled" : true,
>   "clientAuthenticatorType" : "client-secret",
>
>   "redirectUris" : [ "http://localhost" ],
>   "webOrigins" : [ "http://localhost" ],
>
>
>   "notBefore" : 0,
>   "bearerOnly" : false,
>   "consentRequired" : false,
>   "standardFlowEnabled" : true,
>   "implicitFlowEnabled" : false,
>
>   "directAccessGrantsEnabled" : false,
>   "serviceAccountsEnabled" : true,
>   "publicClient" : false,
>
>
>   "frontchannelLogout" : false,
>   "protocol" : "openid-connect",
>   "attributes" : {
>     "saml.assertion.signature" : "false",
>     "saml.force.post.binding" : "false",
>     "saml.multivalued.roles" : "false",
>     "saml.encrypt" : "false",
>     "saml_force_name_id_format" : "false",
>     "saml.client.signature" : "false",
>     "saml.authnstatement" : "false",
>     "saml.server.signature" : "false",
>     "saml.server.signature.keyinfo.ext" : "false",
>     "saml.onetimeuse.condition" : "false"
>   },
>   "fullScopeAllowed" : true,
>   "nodeReRegistrationTimeout" : -1,
>   "protocolMappers" : [ {
>
>     "id" : "b5b68fcc-0e26-486b-ab39-d8d8cf72eacc",
>     "name" : "role list",
>     "protocol" : "saml",
>     "protocolMapper" : "saml-role-list-mapper",
>     "consentRequired" : false,
>     "config" : {
>       "single" : "false",
>       "attribute.nameformat" : "Basic",
>       "attribute.name" : "Role"
>     }
>   }
>
>
>
> Kind regards,
>
>
>
> Nicolas
>
>
>
>
>
> *From:* Виталий Ищенко [mailto:betalb at gmail.com]
> *Sent:* jeudi 21 décembre 2017 22:07
> *To:* nicolas.duminil at simplex-software.fr
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Can't invoke Keycloaks OpenID Connect
> token endpoint with grant type set to password
>
>
>
> You need to pass client secret, note this part in provided json: "clientAuthenticatorType"
> : "client-secret"
>
>
>
> You can find client secret on UI or use kcadm.sh
>
>
>
> ./keycloak/bin/kcadm.sh get clients/f3c2109d-9eb0-4fb3-b6be-32a52a691d42/
> *client-secret* -r demo-realm
>
>
>
> On Thu, Dec 21, 2017 at 6:22 PM Nicolas DUMINIL <
> nicolas.duminil at simplex-software.fr> wrote:
>
> Hello,
>
>
>
> I'm following this blog (
> <
> http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.htm
> l>
>
> http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html
> ) to secure some jax-rs services. I have the following client:
>
>
>
> ./keycloak/bin/kcadm.sh get clients/f3c2109d-9eb0-4fb3-b6be-32a52a691d42 -r
> demo-realm
>
> {
>   "id" : "f3c2109d-9eb0-4fb3-b6be-32a52a691d42",
>   "clientId" : "curl",
>   "surrogateAuthRequired" : false,
>   "enabled" : true,
>   "clientAuthenticatorType" : "client-secret",
>   "redirectUris" : [ " <http://localhost> http://localhost" ],
>   "webOrigins" : [ ],
>   "notBefore" : 0,
>   "bearerOnly" : false,
>   "consentRequired" : false,
>   "standardFlowEnabled" : true,
>   "implicitFlowEnabled" : false,
>   "directAccessGrantsEnabled" : true,
>   "serviceAccountsEnabled" : true,
>   "authorizationServicesEnabled" : false,
>   "publicClient" : true,
>   "frontchannelLogout" : false,
>   "protocol" : "openid-connect",
>   "attributes" : {
>     "saml.assertion.signature" : "false",
>     "saml.force.post.binding" : "false",
>     "saml.multivalued.roles" : "false",
>     "saml.encrypt" : "false",
>     "saml_force_name_id_format" : "false",
>     "saml.client.signature" : "false",
>     "saml.authnstatement" : "false",
>     "saml.server.signature" : "false",
>     "saml.server.signature.keyinfo.ext" : "false",
>     "saml.onetimeuse.condition" : "false"
>   },
>   "fullScopeAllowed" : true,
>   "nodeReRegistrationTimeout" : -1,
>   "protocolMappers" : [ {
>     "id" : "5916961f-e222-4a6d-968e-ca2031961168",
>     "name" : "family name",
>     "protocol" : "openid-connect",
>     "protocolMapper" : "oidc-usermodel-property-mapper",
>     "consentRequired" : true,
>     "consentText" : "${familyName}",
>     "config" : {
>       "userinfo.token.claim" : "true",
>       "user.attribute" : "lastName",
>       "id.token.claim" : "true",
>       "access.token.claim" : "true",
>       "claim.name" : "family_name",
>       "jsonType.label" : "String"
>     }
>   }
>
>
>
> I'm doing the following curl request:
>
>
>
> curl --data
>
> "grant_type=password&client_id=curl&username=customer-manager-user&password=
> toto"
> <http://localhost:18080/auth/realms/master/protocol/openid-connect/token>
> http://localhost:18080/auth/realms/master/protocol/openid-connect/token
>
>
>
> and I get the following error:
>
>
>
> {"error":"unauthorized_client","error_description":"UNKNOWN_CLIENT: Client
> was not identified by any client authenticator"}
>
>
>
> The user "customer-manager-user" is as follows:
>
>
>
> [jboss at ca385990f977 ~]$ ./keycloak/bin/kcadm.sh get users -r demo-realm -q
> username=customer-manager-user
> [ {
>   "id" : "52f6b73c-0982-415d-9157-a4735bf619b1",
>   "createdTimestamp" : 1513861722307,
>   "username" : "customer-manager-user",
>   "enabled" : true,
>   "totp" : false,
>   "emailVerified" : false,
>   "disableableCredentialTypes" : [ "password" ],
>   "requiredActions" : [ ],
>   "notBefore" : 0,
>   "access" : {
>     "manageGroupMembership" : true,
>     "view" : true,
>     "mapRoles" : true,
>     "impersonate" : true,
>     "manage" : true
>   }
> } ]
>
>
>
> I have googled in order to find a solution and I found several persons
> reporting the issue but I didn't find any solution. Many thanks in advance
> for any help.
>
>
>
> Kind regards,
>
>
>
> Nicolas
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

More information about the keycloak-user mailing list