Hi Vitali,
Thanks again for your help. Yes, you're right, the URL used in order to get the token
was not the right one. Now, with the following client:
{
"id" : "ef4783a4-dc2f-49a8-8c4f-17521ce33240",get clients -r
demo-realm --field
"clientId" : "curl",
"surrogateAuthRequired" : false,
"enabled" : true,
"clientAuthenticatorType" : "client-secret",
"redirectUris" : [ " <
http://localhost> http://localhost" ],
"webOrigins" : [ " <
http://localhost> http://localhost" ],
"notBefore" : 0,
"bearerOnly" : false,
"consentRequired" : false,
"standardFlowEnabled" : true,
"implicitFlowEnabled" : false,
"directAccessGrantsEnabled" : true,
"serviceAccountsEnabled" : true,
"authorizationServicesEnabled" : false,
"publicClient" : true,
"frontchannelLogout" : false,
"protocol" : "openid-connect",
"attributes" : {
"saml.assertion.signature" : "false",
"saml.force.post.binding" : "false",
"saml.multivalued.roles" : "false",
"saml.encrypt" : "false",
"saml_force_name_id_format" : "false",
"saml.client.signature" : "false",
"saml.authnstatement" : "false",
"saml.server.signature" : "false",
"saml.server.signature.keyinfo.ext" : "false",
"saml.onetimeuse.condition" : "false"
},
"fullScopeAllowed" : true,
"nodeReRegistrationTimeout" : -1,
"protocolMappers" : [ {
"id" : "b5b68fcc-0e26-486b-ab39-d8d8cf72eacc",
"name" : "role list",
"protocol" : "saml",
"protocolMapper" : "saml-role-list-mapper",
"consentRequired" : false,
"config" : {
"single" : "false",
"attribute.nameformat" : "Basic",
"attribute.name" : "Role"
}
}
and the following curl request:
curl --data
"grant_type=password&client_id=curl&username=customer-manager-user&password=..."
<
http://localhost:18080/auth/realms/demo-realm/protocol/openid-connect/tok...
http://localhost:18080/auth/realms/demo-realm/protocol/openid-connect/token
I'm able to get the tocken. In deed, the parameter
"directAccessGrantsEnabled" is now "true".
Many tanks for your help and support. This closes this issue.
Kind regards,
Nicolas
From: Виталий Ищенко [mailto:betalb@gmail.com]
Sent: vendredi 22 décembre 2017 13:28
To: nicolas.duminil(a)simplex-software.fr
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Can't invoke Keycloaks OpenID Connect token endpoint with
grant type set to password
Hello
I've missed one important thing in your first question: you've created client in
demo-realm, but trying to get token in master realm
./keycloak/bin/kcadm.sh get clients/f3c2109d-9eb0-4fb3-b6be-32a52a691d42 -r demo-realm
http://localhost:18080/auth/realms/master/protocol/openid-connect/token
Also, I've mentioned that after you recreated client, direct grant
(grant_type=password) was disabled (directAccessGrantsEnabled: false), in your previous
version of client, it was enabled.
On Fri, Dec 22, 2017 at 2:49 PM Nicolas DUMINIL
<nicolas.duminil(a)simplex-software.fr> wrote:
Hi,
Thanks for taking the time to reply to my post. I'm not sure why should I pass the
client secret in the curl request. The tutorial I'm following doesn't do that. But
anyway, the following command:
curl --data
"grant_type=password&client_id=curl&username=customer-manager-user&password=toto&client-secret=f512e240-6cc0-4bd3-9d01-eb167b8e69e7"
<
http://localhost:18080/auth/realms/master/protocol/openid-connect/token>
http://localhost:18080/auth/realms/master/protocol/openid-connect/token
raises the same exception:
{"error":"unauthorized_client","error_description":"UNKNOWN_CLIENT:
Client was not identified by any client authenticator"}
Whatever I do, the result is the same. Here below I'm pasting again is the curl client
that I have recreated:
{
"id" : "ef4783a4-dc2f-49a8-8c4f-17521ce33240",
"clientId" : "curl",
"surrogateAuthRequired" : false,
"enabled" : true,
"clientAuthenticatorType" : "client-secret",
"redirectUris" : [ "http://localhost" ],
"webOrigins" : [ "http://localhost" ],
"notBefore" : 0,
"bearerOnly" : false,
"consentRequired" : false,
"standardFlowEnabled" : true,
"implicitFlowEnabled" : false,
"directAccessGrantsEnabled" : false,
"serviceAccountsEnabled" : true,
"publicClient" : false,
"frontchannelLogout" : false,
"protocol" : "openid-connect",
"attributes" : {
"saml.assertion.signature" : "false",
"saml.force.post.binding" : "false",
"saml.multivalued.roles" : "false",
"saml.encrypt" : "false",
"saml_force_name_id_format" : "false",
"saml.client.signature" : "false",
"saml.authnstatement" : "false",
"saml.server.signature" : "false",
"saml.server.signature.keyinfo.ext" : "false",
"saml.onetimeuse.condition" : "false"
},
"fullScopeAllowed" : true,
"nodeReRegistrationTimeout" : -1,
"protocolMappers" : [ {
"id" : "b5b68fcc-0e26-486b-ab39-d8d8cf72eacc",
"name" : "role list",
"protocol" : "saml",
"protocolMapper" : "saml-role-list-mapper",
"consentRequired" : false,
"config" : {
"single" : "false",
"attribute.nameformat" : "Basic",
"attribute.name" : "Role"
}
}
Kind regards,
Nicolas
From: Виталий Ищенко [mailto:betalb@gmail.com]
Sent: jeudi 21 décembre 2017 22:07
To: nicolas.duminil(a)simplex-software.fr
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Can't invoke Keycloaks OpenID Connect token endpoint with
grant type set to password
You need to pass client secret, note this part in provided json:
"clientAuthenticatorType" : "client-secret"
You can find client secret on UI or use kcadm.sh
./keycloak/bin/kcadm.sh get clients/f3c2109d-9eb0-4fb3-b6be-32a52a691d42/client-secret -r
demo-realm
On Thu, Dec 21, 2017 at 6:22 PM Nicolas DUMINIL
<nicolas.duminil(a)simplex-software.fr> wrote:
Hello,
I'm following this blog (
<
http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.htm
l>
http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html
) to secure some jax-rs services. I have the following client:
./keycloak/bin/kcadm.sh get clients/f3c2109d-9eb0-4fb3-b6be-32a52a691d42 -r
demo-realm
{
"id" : "f3c2109d-9eb0-4fb3-b6be-32a52a691d42",
"clientId" : "curl",
"surrogateAuthRequired" : false,
"enabled" : true,
"clientAuthenticatorType" : "client-secret",
"redirectUris" : [ " <
http://localhost> http://localhost" ],
"webOrigins" : [ ],
"notBefore" : 0,
"bearerOnly" : false,
"consentRequired" : false,
"standardFlowEnabled" : true,
"implicitFlowEnabled" : false,
"directAccessGrantsEnabled" : true,
"serviceAccountsEnabled" : true,
"authorizationServicesEnabled" : false,
"publicClient" : true,
"frontchannelLogout" : false,
"protocol" : "openid-connect",
"attributes" : {
"saml.assertion.signature" : "false",
"saml.force.post.binding" : "false",
"saml.multivalued.roles" : "false",
"saml.encrypt" : "false",
"saml_force_name_id_format" : "false",
"saml.client.signature" : "false",
"saml.authnstatement" : "false",
"saml.server.signature" : "false",
"saml.server.signature.keyinfo.ext" : "false",
"saml.onetimeuse.condition" : "false"
},
"fullScopeAllowed" : true,
"nodeReRegistrationTimeout" : -1,
"protocolMappers" : [ {
"id" : "5916961f-e222-4a6d-968e-ca2031961168",
"name" : "family name",
"protocol" : "openid-connect",
"protocolMapper" : "oidc-usermodel-property-mapper",
"consentRequired" : true,
"consentText" : "${familyName}",
"config" : {
"userinfo.token.claim" : "true",
"user.attribute" : "lastName",
"id.token.claim" : "true",
"access.token.claim" : "true",
"claim.name" : "family_name",
"jsonType.label" : "String"
}
}
I'm doing the following curl request:
curl --data
"grant_type=password&client_id=curl&username=customer-manager-user&password=
toto"
<
http://localhost:18080/auth/realms/master/protocol/openid-connect/token>
http://localhost:18080/auth/realms/master/protocol/openid-connect/token
and I get the following error:
{"error":"unauthorized_client","error_description":"UNKNOWN_CLIENT:
Client
was not identified by any client authenticator"}
The user "customer-manager-user" is as follows:
[jboss@ca385990f977 ~]$ ./keycloak/bin/kcadm.sh get users -r demo-realm -q
username=customer-manager-user
[ {
"id" : "52f6b73c-0982-415d-9157-a4735bf619b1",
"createdTimestamp" : 1513861722307,
"username" : "customer-manager-user",
"enabled" : true,
"totp" : false,
"emailVerified" : false,
"disableableCredentialTypes" : [ "password" ],
"requiredActions" : [ ],
"notBefore" : 0,
"access" : {
"manageGroupMembership" : true,
"view" : true,
"mapRoles" : true,
"impersonate" : true,
"manage" : true
}
} ]
I have googled in order to find a solution and I found several persons
reporting the issue but I didn't find any solution. Many thanks in advance
for any help.
Kind regards,
Nicolas
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user