Gatekeeper client-credential flow config problem - "unsupported_grant_type"


I have an app running in a Kubernetes environment, and I have been trying to use Keycloak-Gatekeeper in Forward-signing mode (as a Kubernetes sidecar) to interact with AWS Cognito with a client-credentials flow.

I am using the v7.0.0 Docker Image of Keycloak Gatekeeper that I found in Docker hub (

If I use curl to send requests to the Cognito “/oauth2/token” endpoint using a clientId/clientSecret in an auth header and grant_type=client_credentials, I succeed in obtaining a Token.

Using Gatekeeper I am currently getting the following error:

“failed to login to authentication service”,“error”:“unsupported_grant_type”

According to the Keycloak docs regarding using Gatekeeper as a “Forward-signing proxy”:

“At present the service performs a login using oauth client_credentials grant type, so your IdP service must support direct (username/password) logins.”

Have I misunderstood client_credentials? I thought you supply clientId/clientSecret rather than a username/password.

Looking in the Gatekeeper code (v 2.3.0), it appears that it is trying to use the “password” grant_type rather than “client_credentials” - I think that the “unsupported_grant_type” error I am seeing comes from a “UserCredsToken” call.

Am I using Gatekeeper incorrectly?

Just found someone raising an indentical issue, along with a PR for the fix:"gatekeeper%20client_credentials"

Hey @tim-gen, have you managed to solve this issue and get gatekeeper working with cognito client credentials flow? I need to implement a client credentials solution with cognito and thought of using kc gatekeeper (now louketo-proxy) to accomplish that.

Hi There.

I ended-up adding code to our Java component to acquire the Bearer Tokens. The Spring extension to RestTemplate, OAuth2RestTemplate, does all the work for me.

I saw your message whilst check if the Keycloak team had accepted the PR I saw to enhance Gatekeeper with this functionality.