Client access type: can't edit the client secret entry

Environment: Keycloak 18 or 19 (just upgraded to 19)

Error: I have an android application with a pre-defined client-id and a pre-defined client secret (see

I would like to enter this client into my realm, but I have no selection access type = confidential and the client secret is always pre-created upon creating the client settings.

From the android client side I see “unknown parameter: redirect_uri” and the kc log shows:

2022-08-26 16:38:35,387 WARN  [org.keycloak.services] (executor-thread-11) KC-SERVICES0101: Failed to verify remote host : 87.154.171.4
2022-08-26 16:38:35,390 WARN  [org.keycloak.services] (executor-thread-11) KC-SERVICES0099: Operation 'before register client' rejected. Policy 'Trusted Hosts' rejected request to client-registration service. Details: Host not trusted.
2022-08-26 16:38:35,391 WARN  [org.keycloak.events] (executor-thread-11) type=CLIENT_REGISTER_ERROR, realmId=netzwissen, clientId=null, userId=null, ipAddress=87.154.171.4, error=not_allowed, client_registration_policy='Trusted Hosts'
2022-08-26 16:38:36,355 WARN  [org.keycloak.events] (executor-thread-11) type=LOGIN_ERROR, realmId=netzwissen, clientId=e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD, userId=null, ipAddress=87.154.171.4, error=client_not_found

Whats wrong here? Why is the input field for client-secret not editable? Why can’t I select between different access types, as it is documented in https://wjw465150.gitbooks.io/keycloak-documentation/content/server_admin/topics/clients/oidc/confidential.html

Hello,

I haven had this issue before, but what I get from the logs provide is…

  • Failed to verify remote host : 87.154.171.4
  • Operation ‘before register client’ rejected. Policy ‘Trusted Hosts’ rejected request to client-registration service. Details: Host not trusted.

By chance is there certificated being used? or a firewall on this node?

As for

Not sure what your settings are or how you configured this environment.

Keycloak is running behind a haproxy load balancer which is used for ssl termination. I use proxy=edge, as described in Using a reverse proxy - Keycloak. And I saw that I did not finish the config for this correctly yet, as described in Using a reverse proxy - Keycloak

I now added the “Enable the corresponding proxy provider” and “Configure the HTTP headers” steps to prepary for haproxy proxying and restarted the keycloak. The “‘Trusted Hosts” and “failed to verify” errors are gone.

Current Configuration:
        kc.cache =  ispn (PersistedConfigSource)
        kc.config.built =  true (SysPropConfigSource)
        kc.db =  postgres (PropertiesConfigSource[source=file:/opt/keycloak/bin/../conf/keycloak.conf])
        kc.db-password =  ******* (PropertiesConfigSource[source=file:/opt/keycloak/bin/../conf/keycloak.conf])
        kc.db-url =  jdbc:postgresql://10.10.10.18/keycloak (PropertiesConfigSource[source=file:/opt/keycloak/bin/../conf/keycloak.conf])
        kc.db-username =  keycloak (PropertiesConfigSource[source=file:/opt/keycloak/bin/../conf/keycloak.conf])
        kc.health-enabled =  false (PersistedConfigSource)
        kc.hostname =  login.netzwissen.de (PropertiesConfigSource[source=file:/opt/keycloak/bin/../conf/keycloak.conf])
        kc.http-enabled =  false (PropertiesConfigSource[source=jar:file:///opt/keycloak/lib/lib/main/org.keycloak.keycloak-quarkus-server-19.0.1.jar!/META-INF/keycloak.conf])
        kc.http-relative-path =  / (PersistedConfigSource)
        kc.log =  console,file (PropertiesConfigSource[source=file:/opt/keycloak/bin/../conf/keycloak.conf])
        kc.log-console-output =  default (PropertiesConfigSource[source=jar:file:///opt/keycloak/lib/lib/main/org.keycloak.keycloak-quarkus-server-19.0.1.jar!/META-INF/keycloak.conf])
        kc.log-file =  /var/log/keycloak/keycloak.log (PropertiesConfigSource[source=file:/opt/keycloak/bin/../conf/keycloak.conf])
        kc.log-level =  info (PropertiesConfigSource[source=file:/opt/keycloak/bin/../conf/keycloak.conf])
        kc.metrics-enabled =  false (PersistedConfigSource)
        kc.provider.file.postgresql-42.3.5.jar.last-modified =  1652811176344 (PersistedConfigSource)
        kc.proxy =  edge (PropertiesConfigSource[source=file:/opt/keycloak/bin/../conf/keycloak.conf])
        kc.spi-map-storage-concurrenthashmap-dir =  ${kc.home.dir:default}${file.separator}data${file.separator}chm (PropertiesConfigSource[source=jar:file:///opt/keycloak/lib/lib/main/org.keycloak.keycloak-quarkus-server-19.0.1.jar!/META-INF/keycloak.conf])
        kc.spi-map-storage-concurrenthashmap-key-type-authz-resource-servers =  string (PropertiesConfigSource[source=jar:file:///opt/keycloak/lib/lib/main/org.keycloak.keycloak-quarkus-server-19.0.1.jar!/META-INF/keycloak.conf])
        kc.spi-map-storage-concurrenthashmap-key-type-realms =  string (PropertiesConfigSource[source=jar:file:///opt/keycloak/lib/lib/main/org.keycloak.keycloak-quarkus-server-19.0.1.jar!/META-INF/keycloak.conf])
        kc.spi-map-storage-concurrenthashmap-key-type-single-use-objects =  string (PropertiesConfigSource[source=jar:file:///opt/keycloak/lib/lib/main/org.keycloak.keycloak-quarkus-server-19.0.1.jar!/META-INF/keycloak.conf])
        kc.version =  19.0.1 (SysPropConfigSource)

But when creating clients, I still dont see an option to select “confidential client” and enter any pre-defined credentials

Thats strange …

And now I see the reason why I can not connect with the android app:

2022-08-27 08:03:10,758 WARN  [org.keycloak.events] (executor-thread-11) type=REFRESH_TOKEN_ERROR, realmId=netzwissen, clientId=e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD, userId=null, ipAddress=87.183.227.22, error=invalid_client_credentials, grant_type=refresh_token
2022-08-27 08:03:11,347 WARN  [org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup] (executor-thread-11) HTTP header "" is empty
2022-08-27 08:03:11,348 WARN  [org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup] (executor-thread-11) HTTP header "" is empty
2022-08-27 08:03:11,349 WARN  [org.keycloak.events] (executor-thread-11) type=REFRESH_TOKEN_ERROR, realmId=netzwissen, clientId=e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD, userId=null, ipAddress=87.183.227.22, **error=invalid_client_credentials,** grant_type=refresh_token

That makes sense, as I could not add the pre-defined credentials as they are defined in the Owncloud Docs mentioned earlier. So the main question still is “why does keycloak not allow to enter a pre-defined client secret” ?

This is odd, What I just noticed & comparing it to mine was that yours States “Create Client” and mine KC “19.0” shows Add client.
image

Have you tried just to create the client and go back in to adjust it?

Hmmmm, the whole UI looks different here with KC 19.01:

For the flows I have these options:

But there may be another option (more or less a “workaround”): it is possible to import the client settings from a json file. This link describes how to import client settings with a pre-defined secret, this is exactly what I need:

I will try this and keep you updated :wink:

Oh wow, yeah the whole Web UI looks different.

:+1:

I could solve my problem and its much easier than I thought:

Client Authentication is the new public/confidential “switch” for clients in the latest version. It also causes CODE_TO_TOKEN_ERROR with invalid_client_credentials message and might produce 400, 401, or 403 error code depending on the browser and UI.

I solved it thanks to this thread. Everything works flawlessly now.

Hi All

Simply, follow the below steps:

  1. from “Settings” tab, you can turn on “Client authentication” property.

  2. After enabling it, two new tabs “Keys” and “Credentials” will be appeared.

  3. Now, you can get “Client secret” from Credentials tab.