Direct Grant for API access with Identity Brokering

Hello, similar questions have previously been asked but, as far as I can tell, either not with this configuration or the problems were not resolved. So, any help would be very appreciated. we are at a loss.

In our platform we have an existing user management service that exposes an OAuth2 identity provider (Doorkeeper)

We also have an API gateway. We would the API gateway to authenticate users that exist in the user management service

We would like to use Keycloak as an identity broker between the gateway and doorkeeper. This is so we can easily swap in other identity providers in the future.

Since we are dealing with API access the correct flow seems to be the “Direct Grant” flow. So, we are attempting to configure Keycloak with identity brokering for the direct grant flow. we are failing :slight_smile:

I have configured a confidential client called ‘api-client’

I have configured an OIDC identity provider named ‘doorkeeper’

I have configured a new authentication flow name ‘API’. This flow has a single ‘Identity Provider Redirector’ execution

I have set the default identity provider for the execution to ‘doorkeeper’

I attempt the following request:

curl --location --request POST 'http://localhost:8080/auth/realms/api/protocol/openid-connect/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'client_id=api-client' --data-urlencode  ‘client_secret=<SECRET>' --data-urlencode 'grant_type=password' --data-urlencode 'scope=openid' --data-urlencode  ‘username=<USERNAME>’ --data-urlencode  ‘password=<PASSWORD>'

And receive a 400 response with the text “An error occurred, please login again through your application”

I can view the logs of the user management service and confirm that request was received and succeeded with a 200 status code

I have turned on TRACE logging on keycloak and see the following logs:

 [0m09:05:28,642 TRACE [org.infinispan.interceptors.impl.CallInterceptor] (default task-1) Invoking: GetKeyValueCommand
e[0m09:05:28,642 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-1) client by id cache hit: api-client
e[0me[32m09:05:28,642 DEBUG [org.keycloak.services.util.CookieHelper] (default task-1) Couldnt find any cookies with name AUTH_SESSION_ID, trying AUTH_SESSION_ID_LEGACY
e[0me[32m09:05:28,642 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-1) Not found AUTH_SESSION_ID cookie
e[0me[32m09:05:28,642 DEBUG [org.keycloak.services.util.CookieHelper] (default task-1) Couldnt find any cookies with name AUTH_SESSION_ID, trying AUTH_SESSION_ID_LEGACY
e[0me[32m09:05:28,642 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-1) Not found AUTH_SESSION_ID cookie
e[0me[32m09:05:28,643 DEBUG [org.keycloak.services.util.CookieHelper] (default task-1) Couldnt find any cookies with name AUTH_SESSION_ID, trying AUTH_SESSION_ID_LEGACY
e[0me[32m09:05:28,643 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-1) Not found AUTH_SESSION_ID cookie
e[0me[32m09:05:28,643 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (default task-1) Authentication session not found. Trying to restart from cookie.
e[0me[32m09:05:28,643 DEBUG [org.keycloak.protocol.RestartLoginCookie] (default task-1) KC_RESTART cookie doesn't exist
e[0m09:05:28,643 TRACE [org.keycloak.events] (default task-1) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=api, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_code, identity_provider=doorkeeper, requestUri=http://localhost:8080/auth/realms/api/broker/doorkeeper/login?session_code=z8okFHwVGznodFrlwkk1PGuUQaw0vQZJuEdoc3b6028&client_id=api-client&tab_id=j-J6Og9y4rI, cookies=[]

I have also tried disabling all executions on the “first login” authentication flow.

Can anyone help?

Thank you

Hi, did you find a solution to this problem? Is Keycloak able to do this by configuration, I run into the same situation. Please share any opinion.