How to obtain an access token using the Resource Owner Password Grant for users belonging to two or more tenants

[EnForet]

Hello,

We are examining how your logic works.

I'd like to ask you a question.

There are two users:

• alice: she belongs to a tenant.
• bob: he belongs to two tenants.

If I try to obtain an access token on behalf of alice from the /token endpoint using Resource Owner Password Grant, it works as expected.

But when I try to obtain an access token on behalf of bob, it returns an error as shown below:

It works well when I try to log in using Authorization Code Grant.

Could you please let me know how I can obtain an access token for bob?

[anarsultanov]

Hello,

Thank you for reaching out and describing the issue you are facing.

In Keycloak, when a "Required Action" such as SelectActiveTenant is active, it unfortunately interferes with obtaining a token using the Resource Owner Password Grant. This is because such actions require explicit user interaction, which cannot be provided through the Resource Owner Password Grant flow.

A potential solution to this problem would be to bypass the SelectActiveTenant action and instead utilize the AllTenantsMapper. This approach will allow a user to log in using any grant type, including the Resource Owner Password Grant, and receive an access token that includes information about all tenants they are associated with in the token claims. However, this method shifts the responsibility to your application to determine on behalf of which tenant the user is acting at any given time.

Please consider this approach and let me know if you need further assistance or have other questions.

[EnForet]

Thank you for your kind explanation.

I understood this to mean that it's not possible to obtain a token using the Resource Owner Password Grant if any of the "Required Actions" are active.