[keycloak-user] Can't invoke Keycloaks OpenID Connect token endpoint with grant type set to password

Nalyvayko, Peter pnalyvayko at agi.com
Fri Dec 22 13:01:12 EST 2017 

Hello,

A couple of suggestions. First, you need to configure your client to allow direct grant requests by setting "directAccessGrantsEnabled" to true. Second, it should be "client_secret", not "client-secret".

My $0.02
--Regards
--Peter
________________________________________
From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Nicolas DUMINIL [nicolas.duminil at simplex-software.fr]
Sent: Friday, December 22, 2017 6:49 AM
To: 'Виталий Ищенко'
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Can't invoke Keycloaks OpenID Connect token        endpoint with grant type set to password

Hi,



Thanks for taking the time to reply to my post. I'm not sure why should I pass the client secret in the curl request. The tutorial I'm following doesn't do that. But anyway, the following command:




curl --data "grant_type=password&client_id=curl&username=customer-manager-user&password=toto&client-secret=f512e240-6cc0-4bd3-9d01-eb167b8e69e7"  <http://localhost:18080/auth/realms/master/protocol/openid-connect/token> http://localhost:18080/auth/realms/master/protocol/openid-connect/token



raises the same exception:



{"error":"unauthorized_client","error_description":"UNKNOWN_CLIENT: Client was not identified by any client authenticator"}



Whatever I do, the result is the same. Here below I'm pasting again is the curl client that I have recreated:



{
  "id" : "ef4783a4-dc2f-49a8-8c4f-17521ce33240",
  "clientId" : "curl",
  "surrogateAuthRequired" : false,
  "enabled" : true,
  "clientAuthenticatorType" : "client-secret",
  "redirectUris" : [ "http://localhost" ],
  "webOrigins" : [ "http://localhost" ],
  "notBefore" : 0,
  "bearerOnly" : false,
  "consentRequired" : false,
  "standardFlowEnabled" : true,
  "implicitFlowEnabled" : false,
  "directAccessGrantsEnabled" : false,
  "serviceAccountsEnabled" : true,
  "publicClient" : false,
  "frontchannelLogout" : false,
  "protocol" : "openid-connect",
  "attributes" : {
    "saml.assertion.signature" : "false",
    "saml.force.post.binding" : "false",
    "saml.multivalued.roles" : "false",
    "saml.encrypt" : "false",
    "saml_force_name_id_format" : "false",
    "saml.client.signature" : "false",
    "saml.authnstatement" : "false",
    "saml.server.signature" : "false",
    "saml.server.signature.keyinfo.ext" : "false",
    "saml.onetimeuse.condition" : "false"
  },
  "fullScopeAllowed" : true,
  "nodeReRegistrationTimeout" : -1,
  "protocolMappers" : [ {
    "id" : "b5b68fcc-0e26-486b-ab39-d8d8cf72eacc",
    "name" : "role list",
    "protocol" : "saml",
    "protocolMapper" : "saml-role-list-mapper",
    "consentRequired" : false,
    "config" : {
      "single" : "false",
      "attribute.nameformat" : "Basic",
      "attribute.name" : "Role"
    }
  }



Kind regards,



Nicolas





From: Виталий Ищенко [mailto:betalb at gmail.com]
Sent: jeudi 21 décembre 2017 22:07
To: nicolas.duminil at simplex-software.fr
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Can't invoke Keycloaks OpenID Connect token endpoint with grant type set to password



You need to pass client secret, note this part in provided json: "clientAuthenticatorType" : "client-secret"



You can find client secret on UI or use kcadm.sh



./keycloak/bin/kcadm.sh get clients/f3c2109d-9eb0-4fb3-b6be-32a52a691d42/client-secret -r demo-realm



On Thu, Dec 21, 2017 at 6:22 PM Nicolas DUMINIL <nicolas.duminil at simplex-software.fr> wrote:

Hello,



I'm following this blog (
<http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.htm
l>
http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html
) to secure some jax-rs services. I have the following client:



./keycloak/bin/kcadm.sh get clients/f3c2109d-9eb0-4fb3-b6be-32a52a691d42 -r
demo-realm

{
  "id" : "f3c2109d-9eb0-4fb3-b6be-32a52a691d42",
  "clientId" : "curl",
  "surrogateAuthRequired" : false,
  "enabled" : true,
  "clientAuthenticatorType" : "client-secret",
  "redirectUris" : [ " <http://localhost> http://localhost" ],
  "webOrigins" : [ ],
  "notBefore" : 0,
  "bearerOnly" : false,
  "consentRequired" : false,
  "standardFlowEnabled" : true,
  "implicitFlowEnabled" : false,
  "directAccessGrantsEnabled" : true,
  "serviceAccountsEnabled" : true,
  "authorizationServicesEnabled" : false,
  "publicClient" : true,
  "frontchannelLogout" : false,
  "protocol" : "openid-connect",
  "attributes" : {
    "saml.assertion.signature" : "false",
    "saml.force.post.binding" : "false",
    "saml.multivalued.roles" : "false",
    "saml.encrypt" : "false",
    "saml_force_name_id_format" : "false",
    "saml.client.signature" : "false",
    "saml.authnstatement" : "false",
    "saml.server.signature" : "false",
    "saml.server.signature.keyinfo.ext" : "false",
    "saml.onetimeuse.condition" : "false"
  },
  "fullScopeAllowed" : true,
  "nodeReRegistrationTimeout" : -1,
  "protocolMappers" : [ {
    "id" : "5916961f-e222-4a6d-968e-ca2031961168",
    "name" : "family name",
    "protocol" : "openid-connect",
    "protocolMapper" : "oidc-usermodel-property-mapper",
    "consentRequired" : true,
    "consentText" : "${familyName}",
    "config" : {
      "userinfo.token.claim" : "true",
      "user.attribute" : "lastName",
      "id.token.claim" : "true",
      "access.token.claim" : "true",
      "claim.name" : "family_name",
      "jsonType.label" : "String"
    }
  }



I'm doing the following curl request:



curl --data
"grant_type=password&client_id=curl&username=customer-manager-user&password=
toto"
<http://localhost:18080/auth/realms/master/protocol/openid-connect/token>
http://localhost:18080/auth/realms/master/protocol/openid-connect/token



and I get the following error:



{"error":"unauthorized_client","error_description":"UNKNOWN_CLIENT: Client
was not identified by any client authenticator"}



The user "customer-manager-user" is as follows:



[jboss at ca385990f977 ~]$ ./keycloak/bin/kcadm.sh get users -r demo-realm -q
username=customer-manager-user
[ {
  "id" : "52f6b73c-0982-415d-9157-a4735bf619b1",
  "createdTimestamp" : 1513861722307,
  "username" : "customer-manager-user",
  "enabled" : true,
  "totp" : false,
  "emailVerified" : false,
  "disableableCredentialTypes" : [ "password" ],
  "requiredActions" : [ ],
  "notBefore" : 0,
  "access" : {
    "manageGroupMembership" : true,
    "view" : true,
    "mapRoles" : true,
    "impersonate" : true,
    "manage" : true
  }
} ]



I have googled in order to find a solution and I found several persons
reporting the issue but I didn't find any solution. Many thanks in advance
for any help.



Kind regards,



Nicolas

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list