I created a client in Keycloak and chose consent is required toggle.
I successfully logged in into this client using browser, accepted consent.
Now I’m trying to retrieve token using api - http://{host}/realms/{realm}/protocol/openid-connect/token and grant_type password. But I received bad request response:
{
"error": "invalid_client",
"error_description": "Client requires user consent"
}
Is it expected? We can’t use grant_type password for clients with consent? I can’t find any info about this
In the ROPC flow, there should not be a consent step because there is no interaction with the user (it’s just a login through an API call). Nevertheless, I don’t recommend using ROPC for a ton of reasons (security, limitations in UX experience, deprecation advice in OAuth 2.1, etc.).
1 Like
Yes, I see, thanks for the reply. Just to clarify, Keycloak has the next code in ROPC flow, which is confusing:
if (client.isConsentRequired()) {
event.error(Errors.CONSENT_DENIED);
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_CLIENT, "Client requires user consent", Response.Status.BAD_REQUEST);
}
So even if the user has consent, it will be an error just because of client configuration
@embesozzi any updates on this?