Once we have configured Haventec IAM with Haventec Authenticate and OpenID Landing Page, we need to disable the direct access grants authentication flow to disable the grant_type
password so that
users are no longer able to retrieve an access_token (JWT) with their Usernames and Passwords.
The Direct Access Grant flow is aimed towards REST clients that want to obtain a token on behalf of a user
When creating a client if you disable the option Direct Access Grants, that will revoke that client from allowing Passwords as a grant_type for issues access_tokens
This should disable the Direct Access Grants flow for your client
Finally when you disable the flow for your client when you try the following command you should receive the following error
curl \ -d 'client_id={client-id}' \ -d 'client_secret=d8......e5' \ -d 'username={username}' \ -d 'password={password}' \ -d 'grant_type=password' \ 'http://{haventec-iam-location}/auth/realms/{realm}/protocol/openid-connect/token' \ | python -m json.tool
{
"error": "unauthorized_client",
"error_description": "Client not allowed for direct access grants"
}