15

I added a custom OIDC Identity Provider to my realm and i want to use the Direct Access Grants flow (or grant_type=password) but this doesn't work.

Is it possible with Keycloak?

When try with Authorization Code flow every thing works fine but with grant_type=password the error 

   {
    "error":"invalid_grant",
    "error_description":"Invalid user credentials"
    }

is returned.

I'm trying to get the access token e the refresh token doing the following request:

$ curl -X POST 'http://localhost:8080/auth/realms/master/protocol/openid-connect/token'
    -H 'content-type: application/x-www-form-urlencoded' 
    -d 'grant_type=password' 
    -d 'client_id=test-client' 
    -d 'client_secret=834a546f-2114-4b50-9af6-697adc06707b' 
    -d 'username=user' // valid user in custom Identity Provider
    -d 'password=password' // password in custom Identity Provider

And this is the Identity Provider configuration: this is the Identity Provider configuration

Subodh Joshi
  • 12,717
  • 29
  • 108
  • 202
Matheus Alagia
  • 173
  • 2
  • 2
  • 9

8 Answers8

7

Please have a look below curl command 

curl -X POST -k -H 'Content-Type: application/x-www-form-urlencoded' -i 'https://135.250.138.93:8666/auth/realms/<Realm-Name>/protocol/openid-connect/token' --data 'username=<userName>&password=<Password>&client_id=<Client-ID>&grant_type=password&client_secret=7df18c0d-d4c7-47b1-b959-af972684dab0'

In above command you have to provide these details

  1. Realm-Name - Realm name against which you want token
  2. userName - You should have a user which can access the above realm
  3. Password - Password for above user
  4. Client-ID - Client Name(Generally its a String Value) under the
  5. Client-Secret - Client secret of above client which you can find [Realm->Client List->Select the client->Credential tab]
Subodh Joshi
  • 12,717
  • 29
  • 108
  • 202
5

Keycloak doing below validations before the DirectGrant auth flow.

  • username
  • password
  • otp (if configured)
  • if the user is enabled
  • if the user is locked due to brute force direction (only if it's enable)

You can customize this in Authentication -> Flows and select Direct grant flow. For example you can disable Direct Grant - Conditional OTP to genarate token without checking otp.

Hasitha Nanayakkara
  • 131
  • 1
  • 3
  • thanks. i think this should be accepted as the answer because of its complete checklist. perhaps, beside the 'obvious' to make sure Direct Grant flow is checked. – apito Oct 04 '21 at 03:44
4

I was also stuck with this issue as well. In the beginning I also suspected that it looked like a bug. However, the turning point is that I tried with the master realm and the client_id=admin-cli with my admin user. I can retrieve the token with grand_type=password. It's just failed for my own realm and client_id like reported here. I figured out my issue is that the user I used wasn't activated after I tried to login into my realm's console(eg: http://localhost:18080/auth/realms/quarkus-workshop-labs/account/). I need to reset my password, so it can be finally activated. Then the password grant_type just starts to work.

(note that by default, your new created user needs to reset password before it can use.)

Ryan Zhang
  • 51
  • 1
  • 4
  • Key information here for me was the client ID = admin-cli – Samuel Jul 27 '20 at 11:20
  • It's not necesssary to be client_id=admin-cli, you can use any *actived" user. So if you hit the same problem, my suggestion is to double check if the user is actived or not. Try to login in with it in keycloak. – Ryan Zhang Jul 29 '20 at 05:01
  • No, really it was admin-cli for me. It can be any other client but must be configured similarly to admin-cli (mainly Direct Access Grants Enabled: ON). I did not have deactivated user. – Samuel Jul 30 '20 at 07:19
  • 1
    Just to note that it was the password reset on the realm that worked for me. I had reset the password for the whole install but that wasn't enough. – Martin Eve Apr 16 '22 at 13:03
4

Yes it is possible.

You need to enable/Grant Direct access in Keycloak settings for the particular client.

See Attached Postman Request

Developine
  • 12,483
  • 8
  • 38
  • 42
  • Please readers, never ever "obfuscate" information in this way. Never use brush tools, always use 100% opaque rectangle tool. Blur can sometimes be de-blurred. – Jindra Vysocký Jan 09 '23 at 21:35
0

You need to set a client with test-client and the user should be available in the realm. Though cannot get what you wanna achieve with this

Haseb Ansari
  • 587
  • 1
  • 7
  • 23
0

I got exactly same scenario it looks like a bug to me. I had to unlink the account from IDP, set the password and remove pending user actions. It is not a solution but in my case was ok as I needed only test user account for API tests and don't have that scenario on production.

Jacek K.
  • 31
  • 2
0

I was able to use DAG if I set the (automatically provisioned) user's password in Keycloak to something and with that password I was able to get the token from the external iDP. I used this to investigate an Okta token. Hope this helps.

efpe
  • 43
  • 1
  • 1
  • 6
0

I think this is actually the right answer: answer.

To summarize: You can't do exactly what you requested, because Keycloak is not storing the password in DB, so password grant type flow is not valid for this user.

The alternative is to use Token Exchange feature that allows you to login to OIDC directly and use it's access token to retrieve keycloak access token.

There is an example code in the linked answer.

SGaist
  • 906
  • 8
  • 33
  • 109
Eduard Grinberg
  • 129
  • 2
  • 8