I am trying out get the access token from the super user so that I can the same to create new users in key cloak, I have deployed keycloak in wildfly and when I try to do the get call, I am getting Invalid user credentials
as response,
How to know the actual credentials?
And when I try to update the password from the console, I getting the error message like below.
Since I am new to this and din't find enough information from internet also, any kind of help will be appreciated .
Updated:
Now i am getting new error description as Parameter client_assertion_type is missing
like below. What should be client_assertion_type
here ?
Client_assertion_type is a REQUIRED OAuth Parameters Registry entry in the Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grant to indicate the format of the assertion as defined by the Authorization Server. The Client_assertion_type value will be an absolute URI.
Configure Keycloak to authenticate your cbioportal instance. Log in to your Keycloak Identity Provider, e.g. http://localhost:8080/auth, as an admin user. ⚠️ when setting this up on something else than localhost (e.g. production), you will need to use/enable https on your Keycloak server.
in our frontend - send username and password to KC “token” endpoint and get an authorization code. pass this code to our Backend server. Backend send this code + secret to the KC to get a valid Access token (and refresh token) BE send the access token back to the FE.
This keycloak help page describes the most likely reason for the second error:
Q: When logging in, I get an error: *Parameter client_assertion_type is missing [invalid_client].
A: This error means your client is configured with Signed JWT token credentials, which means you have to use the --keystore parameter when logging in.
Alternatively you can disable using JWT tokens for the client in Keycloak.
For your information, the client_assertion_type
would probably be urn:ietf:params:oauth:client-assertion-type:jwt-bearer
. But then you'd get another error because the client_assertion
is missing.
If ccp-portal
is a confidential client using client authentication with signed JWT then the Keycloak doc states that
During authentication, the client generates a JWT token and signs it with its private key and sends it to Keycloak in the particular backchannel request (for example, code-to-token request) in the client_assertion parameter.
Solutions
admin-cli
as client_id
instead of your ccp-portal
client. The admin-cli
should be in the list of clients configured for your ccp
realm. You can see that from the Keycloak interface. ccp-portal
client config.ccp-portal
client in your application configured with one of the Keycloak client adapters, instead of POSTMan. As subrob sugrobych mentionned, parameters should be passed as form-data.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With