0

I am getting HTTP 400 Bad Request from key cloak java code while Consent Required is set as ON. I am using the following code:

String realm = authenticationData.getRealm();
String clientName = authenticationData.getClientName();
String userName = authenticationData.getUserName();
String secret = authenticationData.getSecret();
String password = authenticationData.getPassword();
String authServerURL = authenticationData.getAuthServerURL();
ResteasyClient resteasyClient = new ResteasyClientBuilder().connectionPoolSize(10).register(new CustomJacksonProvider()).build();
Keycloak keycloak = KeycloakBuilder.builder()
        .serverUrl(authServerURL)
        .realm(realm)
        .grantType(OAuth2Constants.PASSWORD)
        .clientId(clientName)
        .clientSecret(secret)
        .username(userName)
        .password(password)
        .resteasyClient(resteasyClient)
        .build();
String authToken = keycloak.tokenManager().getAccessToken().getToken();

I have used the following libraries in the Gradle file.

compile 'org.keycloak:keycloak-adapter-core:7.0.0'
compile 'org.keycloak:keycloak-servlet-filter-adapter:7.0.0'
compile 'org.keycloak:keycloak-authz-client:7.0.0'
compile 'org.keycloak:keycloak-admin-client:7.0.0'
compile 'org.keycloak:keycloak-core:7.0.0'

with server as Server Version 7.0.0

Note: I have tried the same code with Consent Required set as OFF and it works.

Sagar Koshti
  • 408
  • 2
  • 6
  • 15

1 Answers1

1

"Consent Required" means, the user first have to agree to use this data. As long as the user haven't agreed, you will get the "400". The IDP-Server says "I can't give you the data (because the user don't want this).". In normal screen based logins, the IDP would show a website to the user, to agree to consent. But with REST, this is obviously not possible.

Also "Consent" belongs not in the scope of a login. It belongs to the user-account. The user once gives his consent, then the consent is saved to his account. That is why you don't can set consent at login. BUT you can change the consent via REST-Api. Look at the package

org.keycloak.services.resources.account.AccountRestService

an the method

AccountRestService.updateConsent(String clientId, ConsentRepresentation consent)

(see here for API). This might be what you want.

Look also here for docs https://issues.redhat.com/browse/KEYCLOAK-10653 .

And don't forget that you need to log in as admin(-like) to change user-data.

VinZ
  • 414
  • 7
  • 15