In my project, I need to get current user password from Rest API.
I searched keycloak 4.8.3 final documentation but I could not find it. With admin user I can change password without knowing the current password. But my logged in user can be admin or not. I found that keycloak does not give me permission to that because of security. Wrap up is there any way to active that settings or is there a way to get password with Rest API ?
Thank you.
Update: The /auth path was removed starting with Keycloak 17 Quarkus distribution. So you might need to remove the /auth from the endpoint calls presented on this answer.
Via the Rest API, one cannot get the password for obvious reasons. Ideally, in a secure setting, even if one is the admin one should not have access to the users' passwords.
From the comments you wrote:
I could use method like boolean isPasswordCorrect(username,password)
An approach is to create a client on your Realm as follows:
Go to your Realm;
Clients;
Create Client;
Set Access Type to public;
Set Direct Access Grants Enabled to ON;
Save;
Now request from the newly created client a token on behalf of the user that you want to check if the password is correct:
As you can see the endpoint is:
<KEYCLOAK_HOST>/auth/realms/<REALM_NAME/protocol/openid-connect/token
and the body is:
client_id : <The client ID of the newly create client>
username : <The username>
password : <The password to be tested>
grant_type : password
If the password is correct you will get back a token object, otherwise you will get the following response:
{
"error": "invalid_grant",
"error_description": "Invalid user credentials"
}
Related
I want to connect to SharePoint by using username#company.com and password instead of client id and client secret. Do I need to get any authorization for my ID? If yes, how to get? I know the process for fetching authorization for client ID and client secret.
In this URL: https://{tenant}.sharepoint.com/sites/{sitename}/_layouts/15/user.aspx
I add my user id and password with permission levels as "Full control".
But in this URL: https://{tenant}.sharepoint.com/sites/{sitename}/_layouts/15/appprincipals.aspx
I am able to see only client id and client secret. Not my user id.
When I send POST request using Postman it is giving me "error": "unsupported_grant_type".
Postman Inputs:
POST https://accounts.accesscontrol.windows.net/{tenant_id}/tokens/OAuth/2
Headers
Content-Type : application/x-www-form-urlencoded
Body (x-www-form-urlencoded)
grant_type: password
username: username#company.com
password: password
resource:00000003-0000-0ff1-ce00-000000000000/{tenant}.sharepoint.com#{tenant_id}
SharePoint rest api does not support "Password Grant Flow". You can either use "Client Credentials Flow" or "Implicit Flow".
If you want to allow users to use their username & password, Use implicit flow.
NOTE: User will always require to sign in to get access token. You can not simply pass username and password with post request.
Here is the complete guide for configuring azure ad app for implicit flow : https://frankchen2016.medium.com/how-to-access-the-spo-rest-api-using-implicit-authentication-flow-40d65750554f
As a newbie of Keycloak, I try to configure a client with a "Password" grant type. I know that this is not the preferred solution in most cases.
I created a realm 'realm2' with a client 'myclient2' and a user.
When trying to get the token with Postman, I get this error:
{
"error": "unauthorized_client",
"error_description": "Client secret not provided in request"
}
When I add the client_secret, I get the token. I tried to provide a username and password and no secret.
Via the Keycloak user interface I can also login as 'johan' in the 'realm2'.
This is my request in Postman:
In Keycloak I configured the 'realm2' with no special properties set:
The client 'myclient2' is:
I can see on the Credentials tab of the client:
I configured 1 user in the realm2 with just 'password' as a password:
How can I configure my Keycloack settings so I don't need the 'secret' but the username and password?
You could disable authentication for the client, making it public. You can do this by turning off "Client authentication" under the settings tab of your client.
EDIT: I just realized your keycloak version seems different to mine. This configuration is likely under the Access Type selector in your settings tab, by changing it from confidential to public
#Haf answer is right to the point; TL;DR: In the client Access Type dropdown menu select public instead of confidential.
Nonetheless, I want to add a bit more information behind the scenes since you stated that:
As a newbie for Keycloack I try to configure a client with a
"Password" grant type.
First, you should know that Keycloak implements OpenID Connect, which
is a simple identity layer on top of the OAuth 2.0 protocol.
According to the OAuth 2.0 protocol clients can be either confidential or public.
The main difference relates to whether or not the application is able
to hold credentials (such as a client ID and secret) securely.
Regarding the confidential clients:
Because they use a trusted backend server, confidential applications
can use grant types that require them to authenticate by specifying
their client ID and client secret when calling the Token endpoint.
Armed with this knowledge you can easily figure it out how to create a client that will not have a client secret.
I have tried this URL : http://lists.jboss.org/pipermail/keycloak-user/2018-September/015665.html, though with no help.
i have an access token to call admin API's
Xtreme Biker is right.
I could get the url from UI console.
/realms//clients//installation/providers/keycloak-oidc-keycloak-json
using client name, client-id can be retrieved using endpoint
/auth/admin/realms/${realm}/clients?clientId=
The catch is the access token that has to be supplied to the admin endpoints to respond successfully.
Access token shall be retrieved using a credentials of a user who has 'manageclients' access to the client role of the realm under which the client is registered.
I added a custom OIDC Identity Provider to my realm and i want to use the Direct Access Grants flow (or grant_type=password) but this doesn't work.
Is it possible with Keycloak?
When try with Authorization Code flow every thing works fine but with
grant_type=password the error
{
"error":"invalid_grant",
"error_description":"Invalid user credentials"
}
is returned.
I'm trying to get the access token e the refresh token doing the following request:
$ curl -X POST 'http://localhost:8080/auth/realms/master/protocol/openid-connect/token'
-H 'content-type: application/x-www-form-urlencoded'
-d 'grant_type=password'
-d 'client_id=test-client'
-d 'client_secret=834a546f-2114-4b50-9af6-697adc06707b'
-d 'username=user' // valid user in custom Identity Provider
-d 'password=password' // password in custom Identity Provider
And this is the Identity Provider configuration:
this is the Identity Provider configuration
Please have a look below curl command
curl -X POST -k -H 'Content-Type: application/x-www-form-urlencoded' -i 'https://135.250.138.93:8666/auth/realms/<Realm-Name>/protocol/openid-connect/token' --data 'username=<userName>&password=<Password>&client_id=<Client-ID>&grant_type=password&client_secret=7df18c0d-d4c7-47b1-b959-af972684dab0'
In above command you have to provide these details
Realm-Name - Realm name against which you want token
userName - You should have a user which can access the above realm
Password - Password for above user
Client-ID - Client Name(Generally its a String Value) under the
Client-Secret - Client secret of above client which you can find [Realm->Client List->Select the client->Credential tab]
I was also stuck with this issue as well. In the beginning I also suspected that it looked like a bug. However, the turning point is that I tried with the master realm and the client_id=admin-cli with my admin user. I can retrieve the token with grand_type=password. It's just failed for my own realm and client_id like reported here.
I figured out my issue is that the user I used wasn't activated after I tried to login into my realm's console(eg: http://localhost:18080/auth/realms/quarkus-workshop-labs/account/). I need to reset my password, so it can be finally activated. Then the password grant_type just starts to work.
(note that by default, your new created user needs to reset password before it can use.)
Keycloak doing below validations before the DirectGrant auth flow.
username
password
otp (if configured)
if the user is enabled
if the user is locked due to brute force direction (only if it's enable)
You can customize this in Authentication -> Flows and select Direct grant flow.
For example you can disable Direct Grant - Conditional OTP to genarate token without checking otp.
Yes it is possible.
You need to enable/Grant Direct access in Keycloak settings for the particular client.
You need to set a client with test-client and the user should be available in the realm. Though cannot get what you wanna achieve with this 🧐
I got exactly same scenario it looks like a bug to me. I had to unlink the account from IDP, set the password and remove pending user actions. It is not a solution but in my case was ok as I needed only test user account for API tests and don't have that scenario on production.
I was able to use DAG if I set the (automatically provisioned) user's password in Keycloak to something and with that password I was able to get the token from the external iDP. I used this to investigate an Okta token. Hope this helps.
I think this is actually the right answer: answer.
To summarize: You can't do exactly what you requested, because Keycloak is not storing the password in DB, so password grant type flow is not valid for this user.
The alternative is to use Token Exchange feature that allows you to login to OIDC directly and use it's access token to retrieve keycloak access token.
There is an example code in the linked answer.
I'm implementing an Ouath2 authentication with Spring for our mobile API. So far it works but I don't know how I should keep the resource server separate. So I have an auth server which gives out tokens and refresh tokens using the password grant-type. Meaning the user would log into the mobile app, which sends the auth server the client id/client secret along with the user's
credentials, which results in an access token and a refresh token for the user with the appropriate (ROLE_USER) privileges. Another web based client is for the admins who do the same and get the ROLE_ADMIN privilege etc.
This works well so far.
Now if any client sends a request to the resource server what should happen? Should the resource server check the token's validity? If so in what way? Or should the auth server copy the token into the resource-server's database?
If you #EnableResourceServer you get a filter that checks access tokens. It needs to share a TokenStore with the auth server. That's about it to get something working.