[keycloak-dev] Keycloak doubts
David Ramírez
d.rami85 at gmail.com
Wed Oct 14 12:35:32 EDT 2015
Hi guys,
I'm new with Keyloack server, after read the official documentation I have
a couple of questions.
Following the Oauth2 flow:
+--------+ +---------------+
| |--(A)------- Authorization Grant --------->| |
| | | |
| |<-(B)----------- Access Token -------------| |
| | & Refresh Token | |
| | | |
| | +----------+ | |
| |--(C)---- Access Token ---->| | | |
| | | | | |
| |<-(D)- Protected Resource --| Resource | | Authorization |
| Client | | Server | | Server |
| |--(E)---- Access Token ---->| | | |
| | | | | |
| |<-(F)- Invalid Token Error -| | | |
| | +----------+ | |
| | | |
| |--(G)----------- Refresh Token ----------->| |
| | | |
| |<-(H)----------- Access Token -------------| |
+--------+ & Optional Refresh Token +---------------+
are 'Client' and 'Resource Server' Keycloaks' clients?
For example, I have an Android App and a Service (Java Rest service),
should both be registered in Keycloak Server like clients?
The last question is about Refresh token.
When I'm authenticated for achieving an access token through
'http://localhost:8080/auth/realms/demo/protocol/openid-connect/token',
I received a refresh token too.
If I try to get a protected resource by the refresh token I will get
access to it... Why is it possible? I thought that refresh token was
only for generate new access token. I'm a bit confussed.
I will appreciate any help, thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151014/891632eb/attachment.html
More information about the keycloak-dev
mailing list