Is "get token" endpoint supported for "x509/ Validate Username" flow?

[Ian Riches]

Hi, I'm trying, successfully(ish), to get a JWT token from Keycloak based on a user that's mapped to an x509 certificate.  I've got the certs/truststores working nicely, and I get a token.  The problem is that the REST API I'm using to get the token is using the deprecated "password grant".  If we ignore the fact that it's deprecated, it works great:  I create an mTLS connection, then use curl to ask for a token.  Then I get a token, and it looks great.  

For parameters, I'm using "password" as the grant type, and empty strings for the name and password.  When Keycloak sees these empty credentials, it proceeds to try to match the email address in the caller's certificate to a user in Keycloak, and makes a match.

re:

http://myDomain:443/auth/realms/myRealm/protocol/openid-connect/token

I realize I could instead use the "client credentials grant" type.  That works, but it maps to a client's "service account", and not a user that Keycloak's federated from its IDP (LDAP in this case).  What I'd really like is to have all role and user mapping be the responsibility of LDAP.  The "x509/ Validate Username" flow, along with the deprecated "password grant" gives me this.  Is there a non-deprecated way to do this? 

As a side-note, the password grant is deprecated because the name/password credentials (if supplied) are being passed around.  In my case, where they are empty, I don't see whjy this would be an issue.  Except that the next version of OAuth won't support it.