Reputation: 3298
"Parameter client_assertion_type is missing" in keycloak
I am trying out get the access token from the super user so that I can the same to create new users in key cloak, I have deployed keycloak in wildfly and when I try to do the get call, I am getting Invalid user credentials as response,
How to know the actual credentials?
And when I try to update the password from the console, I getting the error message like below.
Since I am new to this and din't find enough information from internet also, any kind of help will be appreciated .
Updated:
Now i am getting new error description as Parameter client_assertion_type is missing like below. What should be client_assertion_type here ?
Upvotes: 7
Views: 16749
Answers (3)
Reputation: 3502
For your information, the client_assertion_type would probably be urn:ietf:params:oauth:client-assertion-type:jwt-bearer. But then you'd get another error because the client_assertion is missing.
If ccp-portal is a confidential client using client authentication with signed JWT then the Keycloak doc states that
During authentication, the client generates a JWT token and signs it with its private key and sends it to Keycloak in the particular backchannel request (for example, code-to-token request) in the client_assertion parameter.
- I guess it's not possible to generate a JWT with PostMan.
- This is meant for backchannel client-keycloak communication, not for user authentication.
Solutions
- You can use the
admin-cliasclient_idinstead of yourccp-portalclient. Theadmin-clishould be in the list of clients configured for yourccprealm. You can see that from the Keycloak interface. - Another option is allow direct access grants in
ccp-portalclient config. - Finally you could use
ccp-portalclient in your application configured with one of the Keycloak client adapters, instead of POSTMan.
As subrob sugrobych mentionned, parameters should be passed as form-data.
Upvotes: 2
Reputation: 15619
This keycloak help page describes the most likely reason for the second error:
Q: When logging in, I get an error: *Parameter client_assertion_type is missing [invalid_client].
A: This error means your client is configured with Signed JWT token credentials, which means you have to use the --keystore parameter when logging in.
Alternatively you can disable using JWT tokens for the client in Keycloak.
Upvotes: 7
Reputation: 1050
first of all, when you are posting data to keycloak over a rest client, you need to input parameters as form paramaters, and not as query parameters. This is why you are getting this strange error of not providing parameter grant_type, when you obviously are providing it. Same is valid for accessing keycloak api via code.
Next thing you need to think about are roles for your superuser. You can assign realm roles and client roles. There is a client named 'realm-management' which contains roles which would normally count as "system roles". You will need to use them. When you are getting HTTP code 403, it means, that probably your user is missing a role from this client.
Upvotes: 1
Related Questions
- Keycloak Missing form parameter: grant_type
- How To Resolve "The required mechanism 'BASIC' is not available in mechanisms [KEYCLOAK] from the HttpAuthenticationFactory"
- Keycloak create new user fails
- Keycloak Unknown authentication mechanism
- Keycloak Missing parameters: client_id
- Keycloak error invalid_client Bearer only not allowed
- Keycloak id_token is null with REST authentication
- Failed to load module org.keycloak.keycloak-server-subsystem
- How do I fix "java.lang.NoSuchMethodError: org.keycloak.adapters.PreAuthActionsHandler" in Spring?
- Failed adding user by keycloak-admin-client to Keycloak due to "unknown resource"