[keycloak-user] Client secret not provided in request
Charles Moulliard
cmoullia at redhat.com
Wed Dec 14 06:02:51 EST 2016
The curl request works now but I'm getting this error when the token
received will be checked by the SpringBoot Tomcat Adapter
Request
curl -sk -X POST
https://secure-sso-sso.e8ca.engint.openshiftapps.com/auth/realms/master/protocol/openid-connect/token
-d grant_type=password -d username=admin -d client_secret=MYSECRET -d
password=admin -d client_id=demoapp
What "URL from configuration" refers to ?
2016-12-14 10:49:29.273 ERROR 1 --- [nio-8080-exec-6]
o.k.a.BearerTokenRequestAuthenticator : Failed to verify token
org.keycloak.common.VerificationException: Token audience doesn't match
domain. Token issuer is
https://secure-sso-sso.e8ca.engint.openshiftapps.com/auth/realms/master,
but URL from configuration is
https://secure-sso-sso.e8ca.engint.openshiftapps.com/realms/master
at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:49)
~[keycloak-core-1.9.8.Final.jar!/:1.9.8.Final]
at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:35)
~[keycloak-core-1.9.8.Final.jar!/:1.9.8.Final]
at
org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:87)
~[keycloak-adapter-core-1.9.8.Final.jar!/:1.9.8.Final]
at
org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:82)
~[keycloak-adapter-core-1.9.8.Final.jar!/:1.9.8.Final]
at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:65)
~[keycloak-adapter-core-1.9.8.Final.jar!/:1.9.8.Final]
at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206)
~[keycloak-tomcat-core-adapter-1.9.8.Final.jar!/:1.9.8.Final]
at
org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:48)
~[keycloak-tomcat8-adapter-1.9.8.Final.jar!/:1.9.8.Final]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:577)
[tomcat-embed-core-8.0.36.jar!/:8.0.36]
at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187)
~[keycloak-tomcat-core-adapter-1.9.8.Final.jar!/:1.9.8.Final]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
[tomcat-embed-core-8.0.36.jar!/:8.0.36]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
[tomcat-embed-core-8.0.36.jar!/:8.0.36]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
[tomcat-embed-core-8.0.36.jar!/:8.0.36]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
[tomcat-embed-core-8.0.36.jar!/:8.0.36]
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1100)
[tomcat-embed-core-8.0.36.jar!/:8.0.36]
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:687)
[tomcat-embed-core-8.0.36.jar!/:8.0.36]
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520)
[tomcat-embed-core-8.0.36.jar!/:8.0.36]
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476)
[tomcat-embed-core-8.0.36.jar!/:8.0.36]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[na:1.8.0_101]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[na:1.8.0_101]
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[tomcat-embed-core-8.0.36.jar!/:8.0.36]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_101]
Charles Moulliard
Sr. Pr. Software Engineer @redhat
cmoulliard at redhat.com | work: +31 205 65 12 84 | mobile: +32 473 60 40 14
Twitter: @cmoulliard <http://twitter.com/cmoulliard> | blog:
cmoulliard.github.io
committer: apache camel, karaf, servicemix, hawtio, fabric8, drools, jbpm,
deltaspike
On Wed, Dec 14, 2016 at 8:56 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:
> Your guess is correct. Or you can also use the much more complicated way
> of using basic auth header for client id and secret, but let's not get into
> that ;)
>
> On 14 December 2016 at 08:54, Sebastien Blanc <sblanc at redhat.com> wrote:
>
>> I guess "-d client_secret=my_secret" ? ;)
>>
>> On Wed, Dec 14, 2016 at 8:48 AM, Charles Moulliard <cmoullia at redhat.com>
>> wrote:
>>
>>> How do I provide the client secret within the curl request ? An example
>>> would be great ;-)
>>>
>>> On Wed, Dec 14, 2016 at 8:27 AM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>> > Error message is pretty self explanatory here - you're missing the
>>> client
>>> > secret
>>> >
>>> > On 14 December 2016 at 08:17, Charles Moulliard <cmoullia at redhat.com>
>>> > wrote:
>>> >
>>> >> Hi,
>>> >>
>>> >> Why do I get this error when I issue tthis curl request to get a token
>>> >>
>>> >> curl -sk -X POST
>>> >> https://secure-sso-sso.e8ca.engint.openshiftapps.com/auth/re
>>> >> alms/master/protocol/openid-connect/token
>>> >> -d
>>> >> <https://secure-sso-sso.e8ca.engint.openshiftapps.com/auth/r
>>> ealms/master/protocol/openid-connect/token-d>
>>> >> grant_type=password -d username=admin -d password=admin -d
>>> >> client_id=demoapp
>>> >>
>>> >> {"error_description":"Client secret not provided in
>>> >> request","error":"unauthorized_client"}
>>> >>
>>> >> Keycloak Version : 1.9.8
>>> >> client_id: demoapp
>>> >>
>>> >> Do I have to set another filed instead of username/password &
>>> >> grant_type=password ?
>>> >>
>>> >> Regards,
>>> >>
>>> >> Charles
>>> >> _______________________________________________
>>> >> keycloak-user mailing list
>>> >> keycloak-user at lists.jboss.org
>>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >>
>>> >
>>> >
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
More information about the keycloak-user
mailing list