<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Looks we already support it? When you
go in admin console to "Authentication" and then choose flow
"Direct grant", you can see that OTP authenticator is there and
it's optional by default (not sure if you accidentally change it
to REQUIRED based on your errors). <br>
<br>
The possibilities are:<br>
- Add parameter "totp" to the direct grant request together with
username and password (For example <span>username=sarp&password=pass1234&totp=123456&grant_type=password&client_id=admin-cli
)<br>
- Disable OTP Authenticator for the direct grants flow (just if
you don't have a way to ask user for TOTP in your app).<br>
<br>
Marek<br>
</span><span></span><br>
On 17/02/16 17:04, Stian Thorgersen wrote:<br>
</div>
<blockquote
cite="mid:CAJgngAfmOPz6MZ8DJLcZ+EZTFQJmvMcemTrLq6Wn4r_SkL=3ng@mail.gmail.com"
type="cite">
<div dir="ltr">You can't get the token using direct grant if totp
is enabled. We will have to add this at some point. Feel free to
create a JIRA for it.</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 17 February 2016 at 15:39, Sarp Kaya
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:akaya@expedia.com" target="_blank">akaya@expedia.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div
style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif">
<div>My issue is not "Account is not fully set up” error,
I can “afford” to set it up through the web ui. The
problem is after setting it up the curl that I give does
not grant me a token and gives “Invalid user
credentials” error, despite the fact that username and
password are correct.</div>
<div>So my question is whether it is possible to get the
token using "<a moz-do-not-send="true"
href="http://localhost:8080/auth/realms/demo/protocol/openid-connect/token"
style="font-family:Menlo;font-size:11px"
target="_blank">/auth/realms/{realms}/protocol/openid-connect/token</a>”
or similar API when the account itself has TOTP enabled
(and configured)?</div>
<div><br>
</div>
<span>
<div
style="font-family:Calibri;font-size:11pt;text-align:left;color:black;BORDER-BOTTOM:medium
none;BORDER-LEFT:medium
none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df
1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt">
<span style="font-weight:bold">From: </span>Bruno
Oliveira <<a moz-do-not-send="true"
href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>><br>
<span style="font-weight:bold">Date: </span>Wednesday,
February 17, 2016 at 8:01 PM<br>
<span style="font-weight:bold">To: </span>Abdullah
Sarp Kaya <<a moz-do-not-send="true"
href="mailto:akaya@expedia.com" target="_blank">akaya@expedia.com</a>>,
Bill Burke <<a moz-do-not-send="true"
href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>>,
"<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a>"
<<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a>>
<div>
<div class="h5"><br>
<span style="font-weight:bold">Subject: </span>Re:
[keycloak-user] Disabling status cookie<br>
</div>
</div>
</div>
<div>
<div class="h5">
<div><br>
</div>
<div>
<div>
<div dir="ltr"><span
style="font-size:small;line-height:20px">I
believe that Stian recently replied here </span><a
moz-do-not-send="true"
href="http://lists.jboss.org/pipermail/keycloak-user/2016-January/004484.html"
style="font-size:small;line-height:20px"
target="_blank"><a class="moz-txt-link-freetext" href="http://lists.jboss.org/pipermail/keycloak-user/2016-January/004484.html">http://lists.jboss.org/pipermail/keycloak-user/2016-January/004484.html</a></a><br>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Wed, Feb 17, 2016 at 3:55 AM
Sarp Kaya <<a moz-do-not-send="true"
href="mailto:akaya@expedia.com"
target="_blank">akaya@expedia.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">
<div><font face="Calibri,sans-serif">Thanks
for the suggestion. It works just as
expected. I was also wondering how
would direct grant API use TOTP? I
tried using it, before configuring I
received </font><span
style="font-family:Menlo;font-size:11px">{"error_description":"Account
is not fully set
up","error":"invalid_grant"}</span><font
face="Calibri,sans-serif"> however
after setting the account I kept
getting </font><span
style="font-family:Menlo;font-size:11px">{"error_description":"Invalid
user
credentials","error":"invalid_grant"}</span><font
face="Calibri,sans-serif"> this is
how I requested:</font></div>
<div>
<p
style="margin:0px;font-size:11px;font-family:Menlo">curl
-X POST '<a moz-do-not-send="true"
href="http://localhost:8080/auth/realms/demo/protocol/openid-connect/token"
target="_blank">http://localhost:8080/auth/realms/demo/protocol/openid-connect/token</a>'
--data
'username=sarp&password=pass1234&grant_type=password&client_id=admin-cli'
-v</p>
</div>
<div><font face="Calibri,sans-serif">Have I
done something incorrect when
requesting for a token?</font></div>
<div
style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px"><br>
</div>
<span
style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px">
<div
style="font-family:Calibri;font-size:11pt;text-align:left;color:black;BORDER-BOTTOM:medium
none;BORDER-LEFT:medium
none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df
1pt solid;BORDER-RIGHT:medium
none;PADDING-TOP:3pt">
<span style="font-weight:bold">From: </span><<a
moz-do-not-send="true"
href="mailto:keycloak-user-bounces@lists.jboss.org"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:keycloak-user-bounces@lists.jboss.org">keycloak-user-bounces@lists.jboss.org</a></a>>
on behalf of Bill Burke <<a
moz-do-not-send="true"
href="mailto:bburke@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:bburke@redhat.com">bburke@redhat.com</a></a>><br>
<span style="font-weight:bold">Date: </span>Tuesday,
February 16, 2016 at 10:38 PM<br>
<span style="font-weight:bold">To: </span>"<a
moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></a>"
<<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a>><br>
<span style="font-weight:bold">Subject:
</span>Re: [keycloak-user] Disabling
status cookie<br>
</div>
<div><br>
</div>
<div>
</div>
</span></div>
<div style="word-wrap:break-word"><span
style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px">
<div>
<div bgcolor="#FFFFFF" text="#000000">See
our direct grant API. Here's an
example:<br>
<br>
<a moz-do-not-send="true"
href="https://github.com/keycloak/keycloak/blob/master/examples/demo-template/admin-access-app/src/main/java/org/keycloak/example/AdminClient.java"
target="_blank">https://github.com/keycloak/keycloak/blob/master/examples/demo-template/admin-access-app/src/main/java/org/keycloak/example/AdminClient.java</a><br>
<br>
I *STRONGLY* suggest you do not use
the direct grant API for
browser-based applications.
Otherwise you lose 90% of the
features of Keycloak. Use the
direct grant API for REST clients,
that's what it was designed for.
<br>
<br>
<div>On 2/16/2016 1:59 AM, Sarp Kaya
wrote:<br>
</div>
</div>
</div>
</span></div>
<div style="word-wrap:break-word"><span
style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px">
<div>
<div bgcolor="#FFFFFF" text="#000000">
<blockquote type="cite">
<div>Hello,</div>
<div><br>
</div>
<div>I want my users to be able to
login via API calls with our
without requiring a browser. I
looked at examples and found
customer-app-cli, however I
realised that even with manual
login, the current workflow
requires a browser to login. I
found that every time when </div>
<div><a moz-do-not-send="true"
href="http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=customer-portal-cli&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob"
target="_blank">http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=customer-portal-cli&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob</a></div>
<div><br>
</div>
<div>this page loads we get a form
with a different code. In theory
we should be able to just stick
username and password in the
body and be able to get 302
response. However when I get the
curl equivalent of what browser
is doing I’ve gotten the below:</div>
<div><br>
</div>
<div>curl '<a
moz-do-not-send="true"
href="http://localhost:8080/auth/realms/demo/login-actions/authenticate?code=oY8nS7rFOlwYHNJwWS6kcw88jbxluo8EuDmZ_o5TWsw.431db3e8-6234-4ba5-8818-ed0335b8ee72&execution=08d88824-1286-4455-b5d1-07240bda8efd"
target="_blank"><a class="moz-txt-link-freetext" href="http://localhost:8080/auth/realms/demo/login-actions/authenticate?code=oY8nS7rFOlwYHNJwWS6kcw88jbxluo8EuDmZ_o5TWsw.431db3e8-6234-4ba5-8818-ed0335b8ee72&execution=08d88824-1286-4455-b5d1-07240bda8efd">http://localhost:8080/auth/realms/demo/login-actions/authenticate?code=oY8nS7rFOlwYHNJwWS6kcw88jbxluo8EuDmZ_o5TWsw.431db3e8-6234-4ba5-8818-ed0335b8ee72&execution=08d88824-1286-4455-b5d1-07240bda8efd</a></a>'
-H 'Cookie:
KEYCLOAK_STATE_CHECKER=a2teB_8_wfAfD9VtmV0DJhqDEuM9187r58mVW24Gfrg;
KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjQzMWRiM2U4LTYyMzQtNGJhNS04ODE4LWVkMDMzNWI4ZWU3MiIsImNpZCI6ImN1c3RvbWVyLXBvcnRhbC1jbGkiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZGVtby9wcm90b2NvbC9vcGVuaWQtY29ubmVjdC9vYXV0aC9vb2IiLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJhY3Rpb25fa2V5IjoiYTA1MzFlNTYtZjk0Zi00NmM4LWFlNGUtNjQ4MDUyNDc2ZjEwIiwiYXV0aF90eXBlIjoiY29kZSIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9hdXRoL3JlYWxtcy9kZW1vIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJ1cm46aWV0Zjp3ZzpvYXV0aDoyLjA6b29iIn19.B5vuMj-fafRAS0gJ6m-OrU5cX0atABuWy252y5k7jr0'
-H 'Origin: <a
moz-do-not-send="true"
href="http://localhost:8080"
target="_blank"><a class="moz-txt-link-freetext" href="http://localhost:8080">http://localhost:8080</a></a>'
-H 'Accept-Encoding: gzip,
deflate' -H 'Accept-Language:
en-US,en;q=0.8' -H
'Upgrade-Insecure-Requests: 1'
-H 'User-Agent: Mozilla/5.0
(Macintosh; Intel Mac OS X
10_10_5) AppleWebKit/537.36
(KHTML, like Gecko)
Chrome/48.0.2564.109
Safari/537.36' -H 'Content-Type:
application/x-www-form-urlencoded'
-H 'Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'
-H 'Cache-Control: max-age=0' -H
'Referer:
<a moz-do-not-send="true"
href="http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=customer-portal-cli&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob"
target="_blank">
http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=customer-portal-cli&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob</a>'
-H 'Connection: keep-alive'
--data
'username=sarp&password=pass1234&login=Log+in'
—compressed</div>
<div><br>
</div>
<div>I was hoping not to use the
cookies and just change the code
bit with a new request to the
page mentioned above and expect
302 response, however I am
getting 500 responses saying
error occurred instead.</div>
<div><br>
</div>
<div>I looked on admin management
console, but could not really
find a way to disable cookies
for the given client or the
realm. I am guessing that one of
those cookies are encrypting
something that is required and
not using it simply prevents
logging in successfully. So how
can I disable this requirement?</div>
<div><br>
</div>
<div>Kind Regards,</div>
<div>Sarp Kaya</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
</div>
</div>
</span></div>
<div style="word-wrap:break-word"><span
style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px">
<div>
<div bgcolor="#FFFFFF" text="#000000">
<blockquote type="cite">
<pre>_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
</div>
</div>
</span></div>
<div style="word-wrap:break-word"><span
style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px">
<div>
<div bgcolor="#FFFFFF" text="#000000"><br>
<pre cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a moz-do-not-send="true" href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a></pre>
</div>
</div>
</span></div>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote>
</div>
</div>
</div>
</div>
</div>
</span>
</div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>