Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
docs
Describe the bug
I'm using default Keycloak 26.2.4 with Client Credentials Grant ("Client authentication = ON" and "Service accounts roles = ON") using "Client Authenticator = Client Id and Secret".
In Server Administration, "13 Managing OpenID Connect and SAML Clients" ⇨ "Managing OpenID Connect clients" ⇨ "Confidential client credentials" (File: server_admin/topics/clients/oidc/proc-using-a-service-account.adoc) it says that the Client Id and Secret should be passed through "Authorization: Basic" header:
By default, client credentials are represented by the clientId and clientSecret of the client in the Authorization: Basic header but you can also authenticate the client with a signed JWT assertion or any other custom mechanism for client authentication.
You also need to set the grant_type parameter to "client_credentials" as per the OAuth2 specification.
For example, the POST invocation to retrieve a service account can look like this:
POST /realms/demo/protocol/openid-connect/token Authorization: Basic cHJvZHVjdC1zYS1jbGllbnQ6cGFzc3dvcmQ= Content-Type: application/x-www-form-urlencoded grant_type=client_credentials
However, by doing that I get HTTP 401 Unauthorized with {"error":"invalid_client","error_description":"Invalid client or Invalid client credentials"}.
But if I pass the client_id and client_secret as body parameters with the grant_type, the access key is returned. So, I believe Keycloak is using "client_secret_post" by default instead of "client_secret_basic" (https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) as the client authentication method.
Version
26.2.4
Regression
- The issue is a regression
Expected behavior
I would like the docs describe how to pass the client_id and client_secret accordingly to the client authentication method and gives me a link on how to change the client authentication method.
Actual behavior
Passing Base64 encoded client_id:client_secret in Authorization: Basic headers gives HTTP 401 Unauthorizedwith{"error":"invalid_client","error_description":"Invalid client or Invalid client credentials"}`.
How to Reproduce?
Follow the steps of Server Administration, "13 Managing OpenID Connect and SAML Clients" ⇨ "Managing OpenID Connect clients" ⇨ "Confidential client credentials" docs (File: server_admin/topics/clients/oidc/proc-using-a-service-account.adoc).
Anything else?
No response