Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

"Parameter client_assertion_type is missing" in keycloak

I am trying out get the access token from the super user so that I can the same to create new users in key cloak, I have deployed keycloak in wildfly and when I try to do the get call, I am getting Invalid user credentials as response, How to know the actual credentials? enter image description here

And when I try to update the password from the console, I getting the error message like below.

enter image description here

Since I am new to this and din't find enough information from internet also, any kind of help will be appreciated .

Updated:

Now i am getting new error description as Parameter client_assertion_type is missing like below. What should be client_assertion_type here ?

enter image description here

like image 939
Jet Avatar asked Aug 01 '17 03:08

Jet


People also ask

What is Client_assertion_type?

Client_assertion_type is a REQUIRED OAuth Parameters Registry entry in the Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grant to indicate the format of the assertion as defined by the Authorization Server. The Client_assertion_type value will be an absolute URI.

How do you authenticate with a Keycloak?

Configure Keycloak to authenticate your cbioportal instance. Log in to your Keycloak Identity Provider, e.g. http://localhost:8080/auth, as an admin user. ⚠️ when setting this up on something else than localhost (e.g. production), you will need to use/enable https on your Keycloak server.

How do I get authorization code for Keycloak?

in our frontend - send username and password to KC “token” endpoint and get an authorization code. pass this code to our Backend server. Backend send this code + secret to the KC to get a valid Access token (and refresh token) BE send the access token back to the FE.


2 Answers

This keycloak help page describes the most likely reason for the second error:

Q: When logging in, I get an error: *Parameter client_assertion_type is missing [invalid_client].

A: This error means your client is configured with Signed JWT token credentials, which means you have to use the --keystore parameter when logging in.

Alternatively you can disable using JWT tokens for the client in Keycloak.

like image 142
THelper Avatar answered Sep 22 '22 13:09

THelper


For your information, the client_assertion_type would probably be urn:ietf:params:oauth:client-assertion-type:jwt-bearer. But then you'd get another error because the client_assertion is missing.

If ccp-portal is a confidential client using client authentication with signed JWT then the Keycloak doc states that

During authentication, the client generates a JWT token and signs it with its private key and sends it to Keycloak in the particular backchannel request (for example, code-to-token request) in the client_assertion parameter.

  • I guess it's not possible to generate a JWT with PostMan.
  • This is meant for backchannel client-keycloak communication, not for user authentication.

Solutions

  • You can use the admin-cli as client_id instead of your ccp-portal client. The admin-cli should be in the list of clients configured for your ccp realm. You can see that from the Keycloak interface.
  • Another option is allow direct access grants in ccp-portal client config.
  • Finally you could use ccp-portal client in your application configured with one of the Keycloak client adapters, instead of POSTMan.

As subrob sugrobych mentionned, parameters should be passed as form-data.

like image 23
otonglet Avatar answered Sep 24 '22 13:09

otonglet