1

As a newbie of Keycloak, I try to configure a client with a "Password" grant type. I know that this is not the preferred solution in most cases.

I created a realm 'realm2' with a client 'myclient2' and a user.

When trying to get the token with Postman, I get this error:

{
    "error": "unauthorized_client",
    "error_description": "Client secret not provided in request"
}

When I add the client_secret, I get the token. I tried to provide a username and password and no secret.

Via the Keycloak user interface I can also login as 'johan' in the 'realm2'.

This is my request in Postman:

enter image description here

In Keycloak I configured the 'realm2' with no special properties set:

enter image description here

The client 'myclient2' is:

enter image description here

I can see on the Credentials tab of the client:

enter image description here

I configured 1 user in the realm2 with just 'password' as a password:

enter image description here

How can I configure my Keycloack settings so I don't need the 'secret' but the username and password?

dreamcrash
  • 47,137
  • 25
  • 94
  • 117
tm1701
  • 7,307
  • 17
  • 79
  • 168

2 Answers2

1

You could disable authentication for the client, making it public. You can do this by turning off "Client authentication" under the settings tab of your client.

EDIT: I just realized your keycloak version seems different to mine. This configuration is likely under the Access Type selector in your settings tab, by changing it from confidential to public

Haf
  • 375
  • 1
  • 3
  • 13
0

@Haf answer is right to the point; TL;DR: In the client Access Type dropdown menu select public instead of confidential.

Nonetheless, I want to add a bit more information behind the scenes since you stated that:

As a newbie for Keycloack I try to configure a client with a "Password" grant type.

First, you should know that Keycloak implements OpenID Connect, which

is a simple identity layer on top of the OAuth 2.0 protocol.

According to the OAuth 2.0 protocol clients can be either confidential or public.

The main difference relates to whether or not the application is able to hold credentials (such as a client ID and secret) securely.

Regarding the confidential clients:

Because they use a trusted backend server, confidential applications can use grant types that require them to authenticate by specifying their client ID and client secret when calling the Token endpoint.

Armed with this knowledge you can easily figure it out how to create a client that will not have a client secret.

dreamcrash
  • 47,137
  • 25
  • 94
  • 117