Hi, Thanks for taking the time to reply to my post. I'm not sure why should I pass the client secret in the curl request. The tutorial I'm following doesn't do that. But anyway, the following command: curl --data "grant_type=password&client_id=curl&username=customer-manager-user&password=toto&client-secret=f512e240-6cc0-4bd3-9d01-eb167b8e69e7" <http://localhost:18080/auth/realms/master/protocol/openid-connect/token> http://localhost:18080/auth/realms/master/protocol/openid-connect/token raises the same exception: {"error":"unauthorized_client","error_description":"UNKNOWN_CLIENT: Client was not identified by any client authenticator"} Whatever I do, the result is the same. Here below I'm pasting again is the curl client that I have recreated: { "id" : "ef4783a4-dc2f-49a8-8c4f-17521ce33240", "clientId" : "curl", "surrogateAuthRequired" : false, "enabled" : true, "clientAuthenticatorType" : "client-secret", "redirectUris" : [ "http://localhost" ], "webOrigins" : [ "http://localhost" ], "notBefore" : 0, "bearerOnly" : false, "consentRequired" : false, "standardFlowEnabled" : true, "implicitFlowEnabled" : false, "directAccessGrantsEnabled" : false, "serviceAccountsEnabled" : true, "publicClient" : false, "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : { "saml.assertion.signature" : "false", "saml.force.post.binding" : "false", "saml.multivalued.roles" : "false", "saml.encrypt" : "false", "saml_force_name_id_format" : "false", "saml.client.signature" : "false", "saml.authnstatement" : "false", "saml.server.signature" : "false", "saml.server.signature.keyinfo.ext" : "false", "saml.onetimeuse.condition" : "false" }, "fullScopeAllowed" : true, "nodeReRegistrationTimeout" : -1, "protocolMappers" : [ { "id" : "b5b68fcc-0e26-486b-ab39-d8d8cf72eacc", "name" : "role list", "protocol" : "saml", "protocolMapper" : "saml-role-list-mapper", "consentRequired" : false, "config" : { "single" : "false", "attribute.nameformat" : "Basic", "attribute.name" : "Role" } } Kind regards, Nicolas From: Виталий Ищенко [mailto:betalb@gmail.com] Sent: jeudi 21 décembre 2017 22:07 To: nicolas.duminil(a)simplex-software.fr Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Can't invoke Keycloaks OpenID Connect token endpoint with grant type set to password You need to pass client secret, note this part in provided json: "clientAuthenticatorType" : "client-secret" You can find client secret on UI or use kcadm.sh ./keycloak/bin/kcadm.sh get clients/f3c2109d-9eb0-4fb3-b6be-32a52a691d42/client-secret -r demo-realm On Thu, Dec 21, 2017 at 6:22 PM Nicolas DUMINIL <nicolas.duminil(a)simplex-software.fr&gt; wrote: Hello, I'm following this blog ( <http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.htm l> http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html ) to secure some jax-rs services. I have the following client: ./keycloak/bin/kcadm.sh get clients/f3c2109d-9eb0-4fb3-b6be-32a52a691d42 -r demo-realm { "id" : "f3c2109d-9eb0-4fb3-b6be-32a52a691d42", "clientId" : "curl", "surrogateAuthRequired" : false, "enabled" : true, "clientAuthenticatorType" : "client-secret", "redirectUris" : [ " <http://localhost> http://localhost" ], "webOrigins" : [ ], "notBefore" : 0, "bearerOnly" : false, "consentRequired" : false, "standardFlowEnabled" : true, "implicitFlowEnabled" : false, "directAccessGrantsEnabled" : true, "serviceAccountsEnabled" : true, "authorizationServicesEnabled" : false, "publicClient" : true, "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : { "saml.assertion.signature" : "false", "saml.force.post.binding" : "false", "saml.multivalued.roles" : "false", "saml.encrypt" : "false", "saml_force_name_id_format" : "false", "saml.client.signature" : "false", "saml.authnstatement" : "false", "saml.server.signature" : "false", "saml.server.signature.keyinfo.ext" : "false", "saml.onetimeuse.condition" : "false" }, "fullScopeAllowed" : true, "nodeReRegistrationTimeout" : -1, "protocolMappers" : [ { "id" : "5916961f-e222-4a6d-968e-ca2031961168", "name" : "family name", "protocol" : "openid-connect", "protocolMapper" : "oidc-usermodel-property-mapper", "consentRequired" : true, "consentText" : "${familyName}", "config" : { "userinfo.token.claim" : "true", "user.attribute" : "lastName", "id.token.claim" : "true", "access.token.claim" : "true", "claim.name" : "family_name", "jsonType.label" : "String" } } I'm doing the following curl request: curl --data "grant_type=password&client_id=curl&username=customer-manager-user&password= toto" <http://localhost:18080/auth/realms/master/protocol/openid-connect/token> http://localhost:18080/auth/realms/master/protocol/openid-connect/token and I get the following error: {"error":"unauthorized_client","error_description":"UNKNOWN_CLIENT: Client was not identified by any client authenticator"} The user "customer-manager-user" is as follows: [jboss@ca385990f977 ~]$ ./keycloak/bin/kcadm.sh get users -r demo-realm -q username=customer-manager-user [ { "id" : "52f6b73c-0982-415d-9157-a4735bf619b1", "createdTimestamp" : 1513861722307, "username" : "customer-manager-user", "enabled" : true, "totp" : false, "emailVerified" : false, "disableableCredentialTypes" : [ "password" ], "requiredActions" : [ ], "notBefore" : 0, "access" : { "manageGroupMembership" : true, "view" : true, "mapRoles" : true, "impersonate" : true, "manage" : true } } ] I have googled in order to find a solution and I found several persons reporting the issue but I didn't find any solution. Many thanks in advance for any help. Kind regards, Nicolas _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Hi Vitali, Thanks again for your help. Yes, you're right, the URL used in order to get the token was not the right one. Now, with the following client: { "id" : "ef4783a4-dc2f-49a8-8c4f-17521ce33240",get clients -r demo-realm --field "clientId" : "curl", "surrogateAuthRequired" : false, "enabled" : true, "clientAuthenticatorType" : "client-secret", "redirectUris" : [ " <http://localhost> http://localhost" ], "webOrigins" : [ " <http://localhost> http://localhost" ], "notBefore" : 0, "bearerOnly" : false, "consentRequired" : false, "standardFlowEnabled" : true, "implicitFlowEnabled" : false, "directAccessGrantsEnabled" : true, "serviceAccountsEnabled" : true, "authorizationServicesEnabled" : false, "publicClient" : true, "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : { "saml.assertion.signature" : "false", "saml.force.post.binding" : "false", "saml.multivalued.roles" : "false", "saml.encrypt" : "false", "saml_force_name_id_format" : "false", "saml.client.signature" : "false", "saml.authnstatement" : "false", "saml.server.signature" : "false", "saml.server.signature.keyinfo.ext" : "false", "saml.onetimeuse.condition" : "false" }, "fullScopeAllowed" : true, "nodeReRegistrationTimeout" : -1, "protocolMappers" : [ { "id" : "b5b68fcc-0e26-486b-ab39-d8d8cf72eacc", "name" : "role list", "protocol" : "saml", "protocolMapper" : "saml-role-list-mapper", "consentRequired" : false, "config" : { "single" : "false", "attribute.nameformat" : "Basic", "attribute.name" : "Role" } } and the following curl request: curl --data "grant_type=password&client_id=curl&username=customer-manager-user&password=..." <http://localhost:18080/auth/realms/demo-realm/protocol/openid-connect/tok... http://localhost:18080/auth/realms/demo-realm/protocol/openid-connect/token I'm able to get the tocken. In deed, the parameter "directAccessGrantsEnabled" is now "true". Many tanks for your help and support. This closes this issue. Kind regards, Nicolas From: Виталий Ищенко [mailto:betalb@gmail.com] Sent: vendredi 22 décembre 2017 13:28 To: nicolas.duminil(a)simplex-software.fr Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Can't invoke Keycloaks OpenID Connect token endpoint with grant type set to password Hello I've missed one important thing in your first question: you've created client in demo-realm, but trying to get token in master realm ./keycloak/bin/kcadm.sh get clients/f3c2109d-9eb0-4fb3-b6be-32a52a691d42 -r demo-realm http://localhost:18080/auth/realms/master/protocol/openid-connect/token Also, I've mentioned that after you recreated client, direct grant (grant_type=password) was disabled (directAccessGrantsEnabled: false), in your previous version of client, it was enabled. On Fri, Dec 22, 2017 at 2:49 PM Nicolas DUMINIL <nicolas.duminil(a)simplex-software.fr&gt; wrote: Hi, Thanks for taking the time to reply to my post. I'm not sure why should I pass the client secret in the curl request. The tutorial I'm following doesn't do that. But anyway, the following command: curl --data "grant_type=password&client_id=curl&username=customer-manager-user&password=toto&client-secret=f512e240-6cc0-4bd3-9d01-eb167b8e69e7" <http://localhost:18080/auth/realms/master/protocol/openid-connect/token> http://localhost:18080/auth/realms/master/protocol/openid-connect/token raises the same exception: {"error":"unauthorized_client","error_description":"UNKNOWN_CLIENT: Client was not identified by any client authenticator"} Whatever I do, the result is the same. Here below I'm pasting again is the curl client that I have recreated: { "id" : "ef4783a4-dc2f-49a8-8c4f-17521ce33240", "clientId" : "curl", "surrogateAuthRequired" : false, "enabled" : true, "clientAuthenticatorType" : "client-secret", "redirectUris" : [ "http://localhost" ], "webOrigins" : [ "http://localhost" ], "notBefore" : 0, "bearerOnly" : false, "consentRequired" : false, "standardFlowEnabled" : true, "implicitFlowEnabled" : false, "directAccessGrantsEnabled" : false, "serviceAccountsEnabled" : true, "publicClient" : false, "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : { "saml.assertion.signature" : "false", "saml.force.post.binding" : "false", "saml.multivalued.roles" : "false", "saml.encrypt" : "false", "saml_force_name_id_format" : "false", "saml.client.signature" : "false", "saml.authnstatement" : "false", "saml.server.signature" : "false", "saml.server.signature.keyinfo.ext" : "false", "saml.onetimeuse.condition" : "false" }, "fullScopeAllowed" : true, "nodeReRegistrationTimeout" : -1, "protocolMappers" : [ { "id" : "b5b68fcc-0e26-486b-ab39-d8d8cf72eacc", "name" : "role list", "protocol" : "saml", "protocolMapper" : "saml-role-list-mapper", "consentRequired" : false, "config" : { "single" : "false", "attribute.nameformat" : "Basic", "attribute.name" : "Role" } } Kind regards, Nicolas From: Виталий Ищенко [mailto:betalb@gmail.com] Sent: jeudi 21 décembre 2017 22:07 To: nicolas.duminil(a)simplex-software.fr Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Can't invoke Keycloaks OpenID Connect token endpoint with grant type set to password You need to pass client secret, note this part in provided json: "clientAuthenticatorType" : "client-secret" You can find client secret on UI or use kcadm.sh ./keycloak/bin/kcadm.sh get clients/f3c2109d-9eb0-4fb3-b6be-32a52a691d42/client-secret -r demo-realm On Thu, Dec 21, 2017 at 6:22 PM Nicolas DUMINIL <nicolas.duminil(a)simplex-software.fr&gt; wrote: Hello, I'm following this blog ( <http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.htm l> http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html ) to secure some jax-rs services. I have the following client: ./keycloak/bin/kcadm.sh get clients/f3c2109d-9eb0-4fb3-b6be-32a52a691d42 -r demo-realm { "id" : "f3c2109d-9eb0-4fb3-b6be-32a52a691d42", "clientId" : "curl", "surrogateAuthRequired" : false, "enabled" : true, "clientAuthenticatorType" : "client-secret", "redirectUris" : [ " <http://localhost> http://localhost" ], "webOrigins" : [ ], "notBefore" : 0, "bearerOnly" : false, "consentRequired" : false, "standardFlowEnabled" : true, "implicitFlowEnabled" : false, "directAccessGrantsEnabled" : true, "serviceAccountsEnabled" : true, "authorizationServicesEnabled" : false, "publicClient" : true, "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : { "saml.assertion.signature" : "false", "saml.force.post.binding" : "false", "saml.multivalued.roles" : "false", "saml.encrypt" : "false", "saml_force_name_id_format" : "false", "saml.client.signature" : "false", "saml.authnstatement" : "false", "saml.server.signature" : "false", "saml.server.signature.keyinfo.ext" : "false", "saml.onetimeuse.condition" : "false" }, "fullScopeAllowed" : true, "nodeReRegistrationTimeout" : -1, "protocolMappers" : [ { "id" : "5916961f-e222-4a6d-968e-ca2031961168", "name" : "family name", "protocol" : "openid-connect", "protocolMapper" : "oidc-usermodel-property-mapper", "consentRequired" : true, "consentText" : "${familyName}", "config" : { "userinfo.token.claim" : "true", "user.attribute" : "lastName", "id.token.claim" : "true", "access.token.claim" : "true", "claim.name" : "family_name", "jsonType.label" : "String" } } I'm doing the following curl request: curl --data "grant_type=password&client_id=curl&username=customer-manager-user&password= toto" <http://localhost:18080/auth/realms/master/protocol/openid-connect/token> http://localhost:18080/auth/realms/master/protocol/openid-connect/token and I get the following error: {"error":"unauthorized_client","error_description":"UNKNOWN_CLIENT: Client was not identified by any client authenticator"} The user "customer-manager-user" is as follows: [jboss@ca385990f977 ~]$ ./keycloak/bin/kcadm.sh get users -r demo-realm -q username=customer-manager-user [ { "id" : "52f6b73c-0982-415d-9157-a4735bf619b1", "createdTimestamp" : 1513861722307, "username" : "customer-manager-user", "enabled" : true, "totp" : false, "emailVerified" : false, "disableableCredentialTypes" : [ "password" ], "requiredActions" : [ ], "notBefore" : 0, "access" : { "manageGroupMembership" : true, "view" : true, "mapRoles" : true, "impersonate" : true, "manage" : true } } ] I have googled in order to find a solution and I found several persons reporting the issue but I didn't find any solution. Many thanks in advance for any help. Kind regards, Nicolas _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user