Not being able to get the access token using MTLS

68 views
Skip to first unread message

romina rsn

unread,
Aug 20, 2025, 11:32:13 AMAug 20
to Keycloak User

Hi, I have been trying to get the access token from keycloack using client certificate for granting the token. I am using a self signed certificate on keycloack which is my authorization server and a root signed certificate for my client that is requesting the access token.
I have added the root CA of the client to a keystore and I am passing it in my start up command.
This is my start command on windows:

bin\kc.bat start-dev --https-certificate-file=./cert/key_cloack_certificate.crt --https-certificate-key-file=./cert/key_cloack_private.key --https-port=8443 --https-trust-store-file=./cert/truststore.jks --https-trust-store-password=randomPassword--https-client-auth=request --verbose --https-protocols=TLSv1.2

I have made sure that the client subject DN has been correctly set in client->credentials in the admin console. 

My client is a simple python code that is requesting the token as follows:

and here is a snippet of my client trying to obtain the token:

url = "https://localhost:8443/realms/master/protocol/openid-connect/token"

headers = {
    'Content-Type': 'application/x-www-form-urlencoded'
}

body = {
    "grant_type" : "client_credentials"
}

response = requests.post(url, headers=headers, data=body, verify="key_cloack_certificate.crt",
                         cert=("client_cert.crt", "client_cert.key"))

token_response = response.json()
access_token = token_response.get('access_token')

print("Access Token:", access_token)


I can see that on wireshark the certificates of keycloack and my client are correctly sent and the TLS handshake succeeds but I get this error on keycloack and the response I get is null:

[org.keycloak.events] (executor-thread-9) type="CLIENT_LOGIN_ERROR", realmId="25ade688-cde5-4af8-95fa-4b7143b53060", realmName="master", clientId="null", userId="null", ipAddress="0:0:0:0:0:0:0:1", error="client_not_found", grant_type="client_credentials"

I would be grateful if anyone could give me some support to solve this issue :)

Regards,
RR

George McGinley Smith

unread,
Aug 22, 2025, 9:05:31 AMAug 22
to Keycloak User
It looks like you are not sending a full client credentials request, you are missing at least the client id and client secret there.

The certificate is not used in place of identification, rather as an additional step to confirm that the client/server are in possession of the private keys as well as knowing the client secret.

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/531d34c4-9797-49d6-845f-31e3c24f487an%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages