[keycloak-user] Can't invoke Keycloaks OpenID Connect token endpoint with grant type set to password

Nicolas DUMINIL nicolas.duminil at simplex-software.fr
Tue Dec 26 11:22:19 EST 2017 

Hi Vitali,

 

Thanks again for your help. Yes, you're right, the URL used in order to get the token was not the right one. Now, with the following client:

 

{
  "id" : "ef4783a4-dc2f-49a8-8c4f-17521ce33240",get clients -r demo-realm --field
  "clientId" : "curl",
  "surrogateAuthRequired" : false,
  "enabled" : true,
  "clientAuthenticatorType" : "client-secret",
  "redirectUris" : [ " <http://localhost> http://localhost" ],
  "webOrigins" : [ " <http://localhost> http://localhost" ],
  "notBefore" : 0,
  "bearerOnly" : false,
  "consentRequired" : false,
  "standardFlowEnabled" : true,
  "implicitFlowEnabled" : false,
  "directAccessGrantsEnabled" : true,
  "serviceAccountsEnabled" : true,
  "authorizationServicesEnabled" : false,
  "publicClient" : true,
  "frontchannelLogout" : false,
  "protocol" : "openid-connect",
  "attributes" : {
    "saml.assertion.signature" : "false",
    "saml.force.post.binding" : "false",
    "saml.multivalued.roles" : "false",
    "saml.encrypt" : "false",
    "saml_force_name_id_format" : "false",
    "saml.client.signature" : "false",
    "saml.authnstatement" : "false",
    "saml.server.signature" : "false",
    "saml.server.signature.keyinfo.ext" : "false",
    "saml.onetimeuse.condition" : "false"
  },
  "fullScopeAllowed" : true,
  "nodeReRegistrationTimeout" : -1,
  "protocolMappers" : [ {
    "id" : "b5b68fcc-0e26-486b-ab39-d8d8cf72eacc",
    "name" : "role list",
    "protocol" : "saml",
    "protocolMapper" : "saml-role-list-mapper",
    "consentRequired" : false,
    "config" : {
      "single" : "false",
      "attribute.nameformat" : "Basic",
      "attribute.name" : "Role"
    }
  }

and the following curl request:

 

curl --data "grant_type=password&client_id=curl&username=customer-manager-user&password=..."  <http://localhost:18080/auth/realms/demo-realm/protocol/openid-connect/token> http://localhost:18080/auth/realms/demo-realm/protocol/openid-connect/token

 

I'm able to get the tocken. In deed, the parameter "directAccessGrantsEnabled" is now "true".

 

Many tanks for your help and support. This closes this issue.

 

Kind regards,

 

Nicolas

 

 

From: Виталий Ищенко [mailto:betalb at gmail.com] 
Sent: vendredi 22 décembre 2017 13:28
To: nicolas.duminil at simplex-software.fr
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Can't invoke Keycloaks OpenID Connect token endpoint with grant type set to password

 

Hello

 

I've missed one important thing in your first question: you've created client in demo-realm, but trying to get token in master realm

 

./keycloak/bin/kcadm.sh get clients/f3c2109d-9eb0-4fb3-b6be-32a52a691d42 -r demo-realm

 

http://localhost:18080/auth/realms/master/protocol/openid-connect/token

 

Also, I've mentioned that after you recreated client, direct grant (grant_type=password) was disabled (directAccessGrantsEnabled: false), in your previous version of client, it was enabled.

 

On Fri, Dec 22, 2017 at 2:49 PM Nicolas DUMINIL <nicolas.duminil at simplex-software.fr> wrote:

Hi,

 

Thanks for taking the time to reply to my post. I'm not sure why should I pass the client secret in the curl request. The tutorial I'm following doesn't do that. But anyway, the following command:

 


curl --data "grant_type=password&client_id=curl&username=customer-manager-user&password=toto&client-secret=f512e240-6cc0-4bd3-9d01-eb167b8e69e7"  <http://localhost:18080/auth/realms/master/protocol/openid-connect/token> http://localhost:18080/auth/realms/master/protocol/openid-connect/token

 

raises the same exception:

 

{"error":"unauthorized_client","error_description":"UNKNOWN_CLIENT: Client was not identified by any client authenticator"}

 

Whatever I do, the result is the same. Here below I'm pasting again is the curl client that I have recreated:

 

{
  "id" : "ef4783a4-dc2f-49a8-8c4f-17521ce33240",


  "clientId" : "curl",
  "surrogateAuthRequired" : false,
  "enabled" : true,
  "clientAuthenticatorType" : "client-secret",

  "redirectUris" : [ "http://localhost" ],
  "webOrigins" : [ "http://localhost" ],


  "notBefore" : 0,
  "bearerOnly" : false,
  "consentRequired" : false,
  "standardFlowEnabled" : true,
  "implicitFlowEnabled" : false,

  "directAccessGrantsEnabled" : false,
  "serviceAccountsEnabled" : true,
  "publicClient" : false,


  "frontchannelLogout" : false,
  "protocol" : "openid-connect",
  "attributes" : {
    "saml.assertion.signature" : "false",
    "saml.force.post.binding" : "false",
    "saml.multivalued.roles" : "false",
    "saml.encrypt" : "false",
    "saml_force_name_id_format" : "false",
    "saml.client.signature" : "false",
    "saml.authnstatement" : "false",
    "saml.server.signature" : "false",
    "saml.server.signature.keyinfo.ext" : "false",
    "saml.onetimeuse.condition" : "false"
  },
  "fullScopeAllowed" : true,
  "nodeReRegistrationTimeout" : -1,
  "protocolMappers" : [ {

    "id" : "b5b68fcc-0e26-486b-ab39-d8d8cf72eacc",
    "name" : "role list",
    "protocol" : "saml",
    "protocolMapper" : "saml-role-list-mapper",
    "consentRequired" : false,
    "config" : {
      "single" : "false",
      "attribute.nameformat" : "Basic",
      "attribute.name" : "Role"
    }
  }

 

Kind regards,

 

Nicolas

 

 

From: Виталий Ищенко [mailto:betalb at gmail.com] 
Sent: jeudi 21 décembre 2017 22:07
To: nicolas.duminil at simplex-software.fr
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Can't invoke Keycloaks OpenID Connect token endpoint with grant type set to password

 

You need to pass client secret, note this part in provided json: "clientAuthenticatorType" : "client-secret"

 

You can find client secret on UI or use kcadm.sh

 

./keycloak/bin/kcadm.sh get clients/f3c2109d-9eb0-4fb3-b6be-32a52a691d42/client-secret -r demo-realm

 

On Thu, Dec 21, 2017 at 6:22 PM Nicolas DUMINIL <nicolas.duminil at simplex-software.fr> wrote:

Hello,



I'm following this blog (
<http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.htm
l>
http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html
) to secure some jax-rs services. I have the following client:



./keycloak/bin/kcadm.sh get clients/f3c2109d-9eb0-4fb3-b6be-32a52a691d42 -r
demo-realm

{
  "id" : "f3c2109d-9eb0-4fb3-b6be-32a52a691d42",
  "clientId" : "curl",
  "surrogateAuthRequired" : false,
  "enabled" : true,
  "clientAuthenticatorType" : "client-secret",
  "redirectUris" : [ " <http://localhost> http://localhost" ],
  "webOrigins" : [ ],
  "notBefore" : 0,
  "bearerOnly" : false,
  "consentRequired" : false,
  "standardFlowEnabled" : true,
  "implicitFlowEnabled" : false,
  "directAccessGrantsEnabled" : true,
  "serviceAccountsEnabled" : true,
  "authorizationServicesEnabled" : false,
  "publicClient" : true,
  "frontchannelLogout" : false,
  "protocol" : "openid-connect",
  "attributes" : {
    "saml.assertion.signature" : "false",
    "saml.force.post.binding" : "false",
    "saml.multivalued.roles" : "false",
    "saml.encrypt" : "false",
    "saml_force_name_id_format" : "false",
    "saml.client.signature" : "false",
    "saml.authnstatement" : "false",
    "saml.server.signature" : "false",
    "saml.server.signature.keyinfo.ext" : "false",
    "saml.onetimeuse.condition" : "false"
  },
  "fullScopeAllowed" : true,
  "nodeReRegistrationTimeout" : -1,
  "protocolMappers" : [ {
    "id" : "5916961f-e222-4a6d-968e-ca2031961168",
    "name" : "family name",
    "protocol" : "openid-connect",
    "protocolMapper" : "oidc-usermodel-property-mapper",
    "consentRequired" : true,
    "consentText" : "${familyName}",
    "config" : {
      "userinfo.token.claim" : "true",
      "user.attribute" : "lastName",
      "id.token.claim" : "true",
      "access.token.claim" : "true",
      "claim.name" : "family_name",
      "jsonType.label" : "String"
    }
  }



I'm doing the following curl request:



curl --data
"grant_type=password&client_id=curl&username=customer-manager-user&password=
toto"
<http://localhost:18080/auth/realms/master/protocol/openid-connect/token>
http://localhost:18080/auth/realms/master/protocol/openid-connect/token



and I get the following error:



{"error":"unauthorized_client","error_description":"UNKNOWN_CLIENT: Client
was not identified by any client authenticator"}



The user "customer-manager-user" is as follows:



[jboss at ca385990f977 ~]$ ./keycloak/bin/kcadm.sh get users -r demo-realm -q
username=customer-manager-user
[ {
  "id" : "52f6b73c-0982-415d-9157-a4735bf619b1",
  "createdTimestamp" : 1513861722307,
  "username" : "customer-manager-user",
  "enabled" : true,
  "totp" : false,
  "emailVerified" : false,
  "disableableCredentialTypes" : [ "password" ],
  "requiredActions" : [ ],
  "notBefore" : 0,
  "access" : {
    "manageGroupMembership" : true,
    "view" : true,
    "mapRoles" : true,
    "impersonate" : true,
    "manage" : true
  }
} ]



I have googled in order to find a solution and I found several persons
reporting the issue but I didn't find any solution. Many thanks in advance
for any help.



Kind regards,



Nicolas

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list