Haventec IAM: From Development to Production

Disable Direct Access Grants

Once we have configured Haventec IAM with Haventec Authenticate and OpenID Landing Page, we need to disable the direct access grants authentication flow to disable the grant_type password so that users are no longer able to retrieve an access_token (JWT) with their Usernames and Passwords.

The Direct Access Grant flow is aimed towards REST clients that want to obtain a token on behalf of a user

Configuration per Client:

When creating a client if you disable the option Direct Access Grants, that will revoke that client from allowing Passwords as a grant_type for issues access_tokens

Haventec IAM Client Config

This should disable the Direct Access Grants flow for your client

Finally when you disable the flow for your client when you try the following command you should receive the following error

        curl \ -d 'client_id={client-id}' \ -d 'client_secret=d8......e5' \ -d 'username={username}' \ -d 'password={password}' \ -d 'grant_type=password' \ 'http://{haventec-iam-location}/auth/realms/{realm}/protocol/openid-connect/token' \ | python -m json.tool

        
            {
                "error": "unauthorized_client",
                "error_description": "Client not allowed for direct access grants"
            }

Previous Step

Configure First Admin