For those who are still facing this error and using 17.0+ version of Keycloak, there’s a change in endpoints as per the official documentation. I resolved this issue by just using {realm}/user and omitting /auth in between.
So, the question was asked a few months ago, but I was also faced with that question, and I wanted to answer it. I think that you don’t need Keycloak, it is good enough for you to use OAuth2 and JWT. Let me justify my answer: You have just one client – an Angular application. … Read more
Create regular user in a realm: Open admin console and select realm of your choice (realm selection box on top left side). Go to users (sidebar) -> add user (button on the right side) Fill in required fields and press save button. Open Credentials tab and set password. Open Role Mapping tab: Select realm-management under … Read more
If you mark the password as temporary a user action to update password is marked as required. And until the password has been updated/set by the user i.e. this action has been completed, you won’t be able to get an access token using this user since the account is not “fully setup” and is in … Read more
It is possible to configure a different lifespan for access tokens on a per client basis. In Keycloak admin console go to a client settings page and expand the “Advanced Settings” section. This screenshot is taken from Keycloak 4.8.1.Final. EDIT: Be aware that is override is applied to Authorization Code Flow only. The access token … Read more
The standalone Keycloak server runs on the top of a JBoss Wildfly instance and this server doesn’t allow accessing it externally by default, for security reasons (it should be only for the administration console, but seems to affect every url in case of Keycloak). It has to be booted with the -b=0.0.0.0 option to enable … Read more
In KeyCloak we have those 3 roles: Realm Role Client Role Composite Role There are no User Roles in KeyCloak. You most likely confused that with User Role Mapping, which is basically mapping a role (realm, client, or composite) to the specific user In order to find out how these roles actually work, let’s first … Read more
With recent keycloak version 4.6.0 the client id is apparently no longer automatically added to the audience field ‘aud’ of the access token. Therefore even though the login succeeds the client rejects the user. To fix this you need to configure the audience for your clients (compare doc [2]). Configure audience in Keycloak Add realm … Read more
Bearer-only access type meaning Bearer-only access type means that the application only allows bearer token requests. If this is turned on, this application cannot participate in browser logins. So if you select your client as bearer-only then in that case keycloak adapter will not attempt to authenticate users, but only verify bearer tokens. That why … Read more
Finally, I’ve found the solution by looking at the Keycloak’s source code: https://github.com/keycloak/keycloak/blob/9cbc335b68718443704854b1e758f8335b06c242/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java#L169. It says: If the client is a public client, then you must include a “client_id” form parameter. So what I was missing is the client_id form parameter. My request should have been: POST http://localhost:8080/auth/realms/<my_realm>/protocol/openid-connect/logout Authorization: Bearer <access_token> Content-Type: application/x-www-form-urlencoded client_id=<my_client_id>&refresh_token=<refresh_token> The session … Read more