<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>My issue is not &quot;Account is not fully set up” error, I can “afford” to set it up through the web ui. The problem is after setting it up the curl that I give does not grant me a token and gives “Invalid user credentials” error, despite the fact that username
 and password are correct.</div>
<div>So my question is whether it is possible to get the token using &quot;<a href="http://localhost:8080/auth/realms/demo/protocol/openid-connect/token" target="_blank" style="font-family: Menlo; font-size: 11px;">/auth/realms/{realms}/protocol/openid-connect/token</a>”
 or similar API when the account itself has TOTP enabled (and configured)?</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Bruno Oliveira &lt;<a href="mailto:bruno@abstractj.org">bruno@abstractj.org</a>&gt;<br>
<span style="font-weight:bold">Date: </span>Wednesday, February 17, 2016 at 8:01 PM<br>
<span style="font-weight:bold">To: </span>Abdullah Sarp Kaya &lt;<a href="mailto:akaya@expedia.com">akaya@expedia.com</a>&gt;, Bill Burke &lt;<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>&gt;, &quot;<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>&quot;
 &lt;<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>&gt;<br>
<span style="font-weight:bold">Subject: </span>Re: [keycloak-user] Disabling status cookie<br>
</div>
<div><br>
</div>
<div>
<div>
<div dir="ltr"><span style="font-size:small;line-height:20px">I believe that Stian recently replied here&nbsp;</span><a href="http://lists.jboss.org/pipermail/keycloak-user/2016-January/004484.html" style="font-size:small;line-height:20px">http://lists.jboss.org/pipermail/keycloak-user/2016-January/004484.html</a><br>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Wed, Feb 17, 2016 at 3:55 AM Sarp Kaya &lt;<a href="mailto:akaya@expedia.com">akaya@expedia.com</a>&gt; wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">
<div><font face="Calibri,sans-serif">Thanks for the suggestion. It works just as expected. I was also wondering how would direct grant API use TOTP? I tried using it, before configuring I received&nbsp;</font><span style="font-family:Menlo;font-size:11px">{&quot;error_description&quot;:&quot;Account
 is not fully set up&quot;,&quot;error&quot;:&quot;invalid_grant&quot;}</span><font face="Calibri,sans-serif">&nbsp;however after setting the account&nbsp;I kept getting&nbsp;</font><span style="font-family:Menlo;font-size:11px">{&quot;error_description&quot;:&quot;Invalid user credentials&quot;,&quot;error&quot;:&quot;invalid_grant&quot;}</span><font face="Calibri,sans-serif">&nbsp;this
 is how&nbsp;I requested:</font></div>
<div>
<p style="margin:0px;font-size:11px;font-family:Menlo">curl -X POST '<a href="http://localhost:8080/auth/realms/demo/protocol/openid-connect/token" target="_blank">http://localhost:8080/auth/realms/demo/protocol/openid-connect/token</a>' --data 'username=sarp&amp;password=pass1234&amp;grant_type=password&amp;client_id=admin-cli'
 -v</p>
</div>
<div><font face="Calibri,sans-serif">Have&nbsp;I done something incorrect when requesting for a token?</font></div>
<div style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px"><br>
</div>
<span style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;">
<div style="font-family:Calibri;font-size:11pt;text-align:left;color:black;BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt">
<span style="font-weight:bold">From: </span>&lt;<a href="mailto:keycloak-user-bounces@lists.jboss.org" target="_blank">keycloak-user-bounces@lists.jboss.org</a>&gt; on behalf of Bill Burke &lt;<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>&gt;<br>
<span style="font-weight:bold">Date: </span>Tuesday, February 16, 2016 at 10:38 PM<br>
<span style="font-weight:bold">To: </span>&quot;<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>&quot; &lt;<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>&gt;<br>
<span style="font-weight:bold">Subject: </span>Re: [keycloak-user] Disabling status cookie<br>
</div>
<div><br>
</div>
<div>
<div bgcolor="#FFFFFF" text="#000000"></div>
</div>
</span></div>
<div style="word-wrap:break-word"><span style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;">
<div>
<div bgcolor="#FFFFFF" text="#000000">See our direct grant API.&nbsp;&nbsp;&nbsp; Here's an example:<br>
<br>
<a href="https://github.com/keycloak/keycloak/blob/master/examples/demo-template/admin-access-app/src/main/java/org/keycloak/example/AdminClient.java" target="_blank">https://github.com/keycloak/keycloak/blob/master/examples/demo-template/admin-access-app/src/main/java/org/keycloak/example/AdminClient.java</a><br>
<br>
I *STRONGLY* suggest you do not use the direct grant API for browser-based applications.&nbsp; Otherwise you lose 90% of the features of Keycloak.&nbsp; Use the direct grant API for REST clients, that's what it was designed for.
<br>
<br>
<div>On 2/16/2016 1:59 AM, Sarp Kaya wrote:<br>
</div>
</div>
</div>
</span></div>
<div style="word-wrap:break-word"><span style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;">
<div>
<div bgcolor="#FFFFFF" text="#000000">
<blockquote type="cite">
<div>Hello,</div>
<div><br>
</div>
<div>I want my users to be able to login via API calls with our without requiring a browser. I looked at examples and found customer-app-cli, however I realised that even with manual login, the current workflow requires a browser to login. I found that every
 time when&nbsp;</div>
<div><a href="http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&amp;client_id=customer-portal-cli&amp;redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob" target="_blank">http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&amp;client_id=customer-portal-cli&amp;redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob</a></div>
<div><br>
</div>
<div>this page loads we get a form with a different code. In theory we should be able to just stick username and password in the body and be able to get 302 response. However when I get the curl equivalent of what browser is doing I’ve gotten the below:</div>
<div><br>
</div>
<div>curl '<a href="http://localhost:8080/auth/realms/demo/login-actions/authenticate?code=oY8nS7rFOlwYHNJwWS6kcw88jbxluo8EuDmZ_o5TWsw.431db3e8-6234-4ba5-8818-ed0335b8ee72&amp;execution=08d88824-1286-4455-b5d1-07240bda8efd" target="_blank">http://localhost:8080/auth/realms/demo/login-actions/authenticate?code=oY8nS7rFOlwYHNJwWS6kcw88jbxluo8EuDmZ_o5TWsw.431db3e8-6234-4ba5-8818-ed0335b8ee72&amp;execution=08d88824-1286-4455-b5d1-07240bda8efd</a>'
 -H 'Cookie: KEYCLOAK_STATE_CHECKER=a2teB_8_wfAfD9VtmV0DJhqDEuM9187r58mVW24Gfrg; KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjQzMWRiM2U4LTYyMzQtNGJhNS04ODE4LWVkMDMzNWI4ZWU3MiIsImNpZCI6ImN1c3RvbWVyLXBvcnRhbC1jbGkiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZGVtby9wcm90b2NvbC9vcGVuaWQtY29ubmVjdC9vYXV0aC9vb2IiLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJhY3Rpb25fa2V5IjoiYTA1MzFlNTYtZjk0Zi00NmM4LWFlNGUtNjQ4MDUyNDc2ZjEwIiwiYXV0aF90eXBlIjoiY29kZSIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9hdXRoL3JlYWxtcy9kZW1vIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJ1cm46aWV0Zjp3ZzpvYXV0aDoyLjA6b29iIn19.B5vuMj-fafRAS0gJ6m-OrU5cX0atABuWy252y5k7jr0'
 -H 'Origin: <a href="http://localhost:8080" target="_blank">http://localhost:8080</a>' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.8' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5)
 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Accept: text/html,application/xhtml&#43;xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Cache-Control: max-age=0' -H 'Referer:
<a href="http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&amp;client_id=customer-portal-cli&amp;redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob" target="_blank">
http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&amp;client_id=customer-portal-cli&amp;redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob</a>' -H 'Connection: keep-alive' --data 'username=sarp&amp;password=pass1234&amp;login=Log&#43;in' —compressed</div>
<div><br>
</div>
<div>I was hoping not to use the cookies and just change the code bit with a new request to the page mentioned above and expect 302 response, however I am getting 500 responses saying error occurred instead.</div>
<div><br>
</div>
<div>I looked on admin management console, but could not really find a way to disable cookies for the given client or the realm. I am guessing that one of those cookies are encrypting something that is required and not using it simply prevents logging in successfully.
 So how can I disable this requirement?</div>
<div><br>
</div>
<div>Kind Regards,</div>
<div>Sarp Kaya</div>
<br>
<fieldset></fieldset> <br>
</blockquote>
</div>
</div>
</span></div>
<div style="word-wrap:break-word"><span style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;">
<div>
<div bgcolor="#FFFFFF" text="#000000">
<blockquote type="cite">
<pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
</div>
</div>
</span></div>
<div style="word-wrap:break-word"><span style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;">
<div>
<div bgcolor="#FFFFFF" text="#000000"><br>
<pre cols="72">-- 
Bill Burke
JBoss, a division of Red Hat
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a></pre>
</div>
</div>
</span></div>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote>
</div>
</div>
</div>
</span>
</body>
</html>