There are some Ansible playbooks that perform run-time configuration of a Keycloak instance via REST API. The playbooks obtain an authentication token with OIDC. It uses username + password - or X.509 certificate - for authentication when getting the token, and then perform the necessary administrative tasks with the aforementioned token.
These playbooks may happen to be executed long after the installation of Keycloak, so it's not just an initialization.
The problem is that the password expiration policy must be set (to a finite number) and eventually forces the "config-management" user - that Ansible uses - to change password and until that doesn't happen, refuses to serve auth tokens.
The response from Keycloak in that case is:
{
"error": "invalid_grant",
"error_description": "Account is not fully set up"
}
If I login on the GUI and change the password on the presented form it works again, but how can I work around this? If I try to do the same password change process via REST API, then I also get a denial as the password expired.
I have tried to set up X.509 authentication but that still doesn't solve the problem as when password expiration happens, it still denies auth tokens, and no matter how long the certificate is valid.
