Obtaining an access token via cURL

Question

Simple question:

Why does the following code work... (it returns the access token just fine)

curl --data "grant_type=client_credentials&client_id=synchronization_tool&client_secret=8f6a6e73-66ca-4f8f-1234-ab909147f1cf" http://localhost:8080/auth/realms/master/protocol/openid-connect/token

And this one doesn't?

curl -d  '{"grant_type":"client_credentials","client_secret":"8f6a6e73-66ca-4f8f-1234-ab909147f1cf","client_id":"synchronization_tool"}' http://localhost:8080/auth/realms/master/protocol/openid-connect/token -H "Content-Type: application/json"

It gives gives me:

"error":"invalid_request","error_description":"Missing form parameter: grant_type"}

Aren't they supposed to be two completely analogous requests?

Is that a typo in your second request? It's missing a quote at the start of the json. I'm getting 404 with both those requests. — delephin, May 09 '18 at 15:12
@delephin thanks for pointing it out. Unfortunately it was a typo :( About the 404, I guess it normal since https://keycloak-server.company.com is not a real server name. I'll edit the question to avoid confusion. Thanks!!! — dafero, May 09 '18 at 15:37
Did the second req work after you made the change? I'm a bit confused. — delephin, May 09 '18 at 20:21
@delephin nope, it was just a typo when I copied and pasted from my terminal to SO — dafero, May 10 '18 at 15:04

score 37 · Accepted Answer · edited Mar 03 '23 at 09:58

37

curl -d 'client_id=xxx' -d 'username=xxx' -d 'password=xxx' -d 'grant_type=password' \
    'http://localhost:8080/auth/realms/YOUR_REALM_NAME/protocol/openid-connect/token' | \
    python -m json.tool

This works for me, and it will give you the access_token and session_token

edited Mar 03 '23 at 09:58

Aaron Digulla

321,842
108
597
820

answered Jun 20 '18 at 14:40

Anurag Choudhary

752
1
11
16

14

you may also need `-d 'client_secret=your_client_secret'` – Alex Burdusel Dec 21 '20 at 09:54
1

@AlexBurdusel, in 2023 the client_secret parameter is definitely needed, and without it the error message isn't so clear: `{"error":"unauthorized_client","error_description":"Invalid client or Invalid client credentials"}`. – Paolo Stefan May 31 '23 at 16:04

score 10 · Answer 2 · edited Mar 03 '23 at 09:59

10

Curl Command:

curl \
  -d "client_id=account" \
  -d "client_secret=YOUR_SECRET" \
  -d "grant_type=client_credentials" \
  "http://localhost:9080/auth/realms/myrealm/protocol/openid-connect/token"

Response:

{
  "access_token": "...redacted...",
  "expires_in": 3600,
  "refresh_expires_in": 0,
  "token_type": "Bearer",
  "not-before-policy": 0,
  "scope": "profile email"
}

edited Mar 03 '23 at 09:59

Aaron Digulla

321,842
108
597
820

answered Mar 19 '22 at 02:01

Cesar Celis

166
1
4
8

score 6 · Answer 3 · edited Aug 09 '22 at 20:42

6

Alright, it seems those cURL queries ARE NOT ANALOGOUS.

Also, the endpoint http://localhost:8080/auth/realms/master/protocol/openid-connect/token does not understand JSON and it only accepts x-www-form-urlencoded queries.

edited Aug 09 '22 at 20:42

Orn Kristjansson

3,435
4
26
40

answered May 14 '18 at 08:18

dafero

1,017
4
13
27

score 4 · Answer 4 · answered May 24 '23 at 09:42

Heads up when using Keycloak 17.0+. You have to omit /auth in the endpoint because the API has changed. Therfore, you need to execute following command:

curl -d 'client_id=xxx' -d 'username=xxx' -d 'password=xxx' -d 'grant_type=password' \ 
  'http://localhost:8080/realms/YOUR_REALM_NAME/protocol/openid-connect/token'

See here for the original question/answer.

bhargav joshi · Answer 5 · 2023-08-31T16:03:18.793

3

curl 'https://example.com/auth/realms/realm-test1/protocol/openid-connect/token'  \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=realm-test1' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=username@example.com' \
--data-urlencode 'password=pass123xvDD##xds2'

If the password contained special bash characters like &,%,etc, then curl command failed

edited Aug 31 '23 at 16:03

answered Mar 13 '23 at 21:52

bhargav joshi

329
3
6

4

My setup have worked without "auth" after domain. i.e.: https://example.com/realms/realm-test1/protocol/openid-connect/token (all other, just fine) – Lubo Mar 16 '23 at 04:56

Obtaining an access token via cURL

5 Answers5

Curl Command:

Response: