I have an app running in a Kubernetes environment, and I have been trying to use Keycloak-Gatekeeper in Forward-signing mode (as a Kubernetes sidecar) to interact with AWS Cognito with a client-credentials flow.
I am using the v7.0.0 Docker Image of Keycloak Gatekeeper that I found in Docker hub (https://hub.docker.com/r/keycloak/keycloak-gatekeeper/tags).
If I use curl to send requests to the Cognito “/oauth2/token” endpoint using a clientId/clientSecret in an auth header and grant_type=client_credentials, I succeed in obtaining a Token.
Using Gatekeeper I am currently getting the following error:
“failed to login to authentication service”,“error”:“unsupported_grant_type”
According to the Keycloak docs regarding using Gatekeeper as a “Forward-signing proxy”:
“At present the service performs a login using oauth client_credentials grant type, so your IdP service must support direct (username/password) logins.”
Have I misunderstood client_credentials? I thought you supply clientId/clientSecret rather than a username/password.
Looking in the Gatekeeper code (v 2.3.0), it appears that it is trying to use the “password” grant_type rather than “client_credentials” - I think that the “unsupported_grant_type” error I am seeing comes from a “UserCredsToken” call.
Am I using Gatekeeper incorrectly?