Keycloak: grant_type=password in custom Identity Provider

Question

I added a custom OIDC Identity Provider to my realm and i want to use the Direct Access Grants flow (or grant_type=password) but this doesn't work.

Is it possible with Keycloak?

When try with Authorization Code flow every thing works fine but with grant_type=password the error

   {
    "error":"invalid_grant",
    "error_description":"Invalid user credentials"
    }

is returned.

I'm trying to get the access token e the refresh token doing the following request:

$ curl -X POST 'http://localhost:8080/auth/realms/master/protocol/openid-connect/token'
    -H 'content-type: application/x-www-form-urlencoded' 
    -d 'grant_type=password' 
    -d 'client_id=test-client' 
    -d 'client_secret=834a546f-2114-4b50-9af6-697adc06707b' 
    -d 'username=user' // valid user in custom Identity Provider
    -d 'password=password' // password in custom Identity Provider

And this is the Identity Provider configuration: this is the Identity Provider configuration

Answer 1

Keycloak doing below validations before the DirectGrant auth flow.

• username
• password
• otp (if configured)
• if the user is enabled
• if the user is locked due to brute force direction (only if it's enable)

You can customize this in Authentication -> Flows and select Direct grant flow. For example you can disable Direct Grant - Conditional OTP to genarate token without checking otp.

Answer 2

Yes it is possible.

You need to enable/Grant Direct access in Keycloak settings for the particular client.

Answer 3

I was also stuck with this issue as well. In the beginning I also suspected that it looked like a bug. However, the turning point is that I tried with the master realm and the client_id=admin-cli with my admin user. I can retrieve the token with grand_type=password. It's just failed for my own realm and client_id like reported here. I figured out my issue is that the user I used wasn't activated after I tried to login into my realm's console(eg: http://localhost:18080/auth/realms/quarkus-workshop-labs/account/). I need to reset my password, so it can be finally activated. Then the password grant_type just starts to work.

(note that by default, your new created user needs to reset password before it can use.)

Answer 4

Please have a look below curl command

curl -X POST -k -H 'Content-Type: application/x-www-form-urlencoded' -i 'https://135.250.138.93:8666/auth/realms/<Realm-Name>/protocol/openid-connect/token' --data 'username=<userName>&password=<Password>&client_id=<Client-ID>&grant_type=password&client_secret=7df18c0d-d4c7-47b1-b959-af972684dab0'

In above command you have to provide these details

1. Realm-Name - Realm name against which you want token
2. userName - You should have a user which can access the above realm
3. Password - Password for above user
4. Client-ID - Client Name(Generally its a String Value) under the
5. Client-Secret - Client secret of above client which you can find [Realm->Client List->Select the client->Credential tab]