How to get a keycloak token after authentication at an oidc identity provider via CLI

I have setup an identity provider and via the UI it works fine. After redirection to azure I can login and keycloak generates an access token. I want to do the same via CLI.

I tried with this command:
curl --location --request POST ‘https:///realms//protocol/openid-connect/token’
–header ‘Content-Type: application/x-www-form-urlencoded’
–data-urlencode ‘grant_type=password’
–data-urlencode ‘client_id=’
–data-urlencode ‘client_secret=’
–data-urlencode ‘username=’
–data-urlencode ‘password=’
–data-urlencode ‘kc_idp_hint=’

I get the following: error “invalid_user_credentials”,

Do I need to setup a new authentication flow?

There is no way to do that using the Resource Owner Password Credential (ROPC). To login in Azure, KC is integrated with Azure (Identity Brokering) implementing the Authorization Code flow (Browsed-Based authentication). Please review the OAuth 2.0 [1] standard.

So, good luck with ROPC (just joking).

[1] RFC 6749 - The OAuth 2.0 Authorization Framework

So you say there is now way doing this via CLI at all?

Yes, and for good reasons. Either use service accounts with access tokens or depening on the usecase use an device grant flow.

token exchange would work best, I guess: Securing Applications and Services Guide

With a bit of “hacking” you could achieve that…

Some refs:

• GitHub - cloudentity/oauth2c: User-friendly OAuth2 CLI
• OAuth 2.0 from the Command Line | Okta Developer