"Parameter client_assertion_type is missing" in keycloak

Question

I am trying out get the access token from the super user so that I can the same to create new users in key cloak, I have deployed keycloak in wildfly and when I try to do the get call, I am getting Invalid user credentials as response, How to know the actual credentials?

And when I try to update the password from the console, I getting the error message like below.

Since I am new to this and din't find enough information from internet also, any kind of help will be appreciated .

Updated:

Now i am getting new error description as Parameter client_assertion_type is missing like below. What should be client_assertion_type here ?

Use Keycloak Java client library `keycloak-admin-client` for creating new users. — ravthiru, Aug 01 '17 at 03:53
@ravthiru ... I checked the documentation , nowhere mentioned what is the superuser password — Jet, Aug 01 '17 at 05:56
have you tried with default values username=admin and password=password — ravthiru, Aug 01 '17 at 07:02
@Jet Please try the whole password all in CapsLock + number or marks (alphanumeric keys) — Fmanin, Aug 01 '17 at 07:40
@Fmanin ... You mean from the console? I have tried and got the same exception `Failed to reset the password` — Jet, Aug 01 '17 at 09:03
@Jet In both should it comes through (Console (CLI) or UI) at least your password must contain 12 characters — Fmanin, Aug 01 '17 at 10:43

score 7 · Answer 1 · edited Jun 20 '20 at 09:12

7

This keycloak help page describes the most likely reason for the second error:

Q: When logging in, I get an error: *Parameter client_assertion_type is missing [invalid_client].

A: This error means your client is configured with Signed JWT token credentials, which means you have to use the --keystore parameter when logging in.

Alternatively you can disable using JWT tokens for the client in Keycloak.

edited Jun 20 '20 at 09:12

Community

1
1

answered Apr 09 '19 at 13:36

THelper

15,333
6
64
104

4

Hello. Where do you use the --keystore – Mwangi Gikonyo Oct 08 '20 at 05:57

Olivier Tonglet · Answer 2 · 2020-05-14T08:04:27.737

For your information, the client_assertion_type would probably be urn:ietf:params:oauth:client-assertion-type:jwt-bearer. But then you'd get another error because the client_assertion is missing.

If ccp-portal is a confidential client using client authentication with signed JWT then the Keycloak doc states that

During authentication, the client generates a JWT token and signs it with its private key and sends it to Keycloak in the particular backchannel request (for example, code-to-token request) in the client_assertion parameter.

I guess it's not possible to generate a JWT with PostMan.
This is meant for backchannel client-keycloak communication, not for user authentication.

Solutions

You can use the admin-cli as client_id instead of your ccp-portal client. The admin-cli should be in the list of clients configured for your ccp realm. You can see that from the Keycloak interface.
Another option is allow direct access grants in ccp-portal client config.
Finally you could use ccp-portal client in your application configured with one of the Keycloak client adapters, instead of POSTMan.

As subrob sugrobych mentionned, parameters should be passed as form-data.

subrob sugrobych · Answer 3 · 2017-08-16T13:36:02.103

1

first of all, when you are posting data to keycloak over a rest client, you need to input parameters as form paramaters, and not as query parameters. This is why you are getting this strange error of not providing parameter grant_type, when you obviously are providing it. Same is valid for accessing keycloak api via code.

Next thing you need to think about are roles for your superuser. You can assign realm roles and client roles. There is a client named 'realm-management' which contains roles which would normally count as "system roles". You will need to use them. When you are getting HTTP code 403, it means, that probably your user is missing a role from this client.

edited Aug 16 '17 at 13:36

answered Aug 16 '17 at 10:20

subrob sugrobych

1,034
8
12

I have updated the question with new error description, plz check – Jet Aug 18 '17 at 05:22
It also says 'Invalid Client'. may be you are missspelling its name? – subrob sugrobych Aug 21 '17 at 15:35
it is correct and all of sudden started getting this error – Jet Aug 22 '17 at 03:09
1

Hi, when you look at keycloaks code, you'll see, that client_assertion_type can have value 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer' and, when you pass it (or when this is required) you also need to pass client_assertion, which should contain a "sighning token". KeyCloak requires this parameter when "signing token" is set in your configuration. So it must be set in your realm or in JSON in your web app. Please provide it for further investigation – subrob sugrobych Aug 23 '17 at 16:55
ok, I dint find the `signing token` when i searched in realm. Do I need to set it or it will be set by default and I just need to use it ? – Jet Aug 24 '17 at 04:43
2

@ subrob ........ I have added registration access token and the issue came now is...... { "error_description": "Client authentication with signed JWT failed: Can't identify client. Issuer missing on JWT token", "error": "unauthorized_client" } – Jet Aug 31 '17 at 10:09

"Parameter client_assertion_type is missing" in keycloak

3 Answers3