
<div dir="ltr">Thanks Marek!</div><div class="gmail_extra"><br><div class="gmail_quote">2015-10-14 18:57 GMT+02:00 Marek Posolda <span dir="ltr">&lt;<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

  
  <div text="#000000" bgcolor="#FFFFFF"><span class="">

    <div>On 14/10/15 18:35, David Ramírez wrote:<br>

    </div>

    <blockquote type="cite">

      <div dir="ltr">

        <p>Hi guys,</p>

        <p>I&#39;m new

          with Keyloack server, after read the official documentation I

          have a couple of questions.</p>

        <p>Following

          the Oauth2 flow:</p>

        <pre style="font-size:13.3333px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)">  +--------+                                           +---------------+

  |        |--(A)------- Authorization Grant ---------&gt;|               |

  |        |                                           |               |

  |        |&lt;-(B)----------- Access Token -------------|               |

  |        |               &amp; Refresh Token             |               |

  |        |                                           |               |

  |        |                            +----------+   |               |

  |        |--(C)---- Access Token ----&gt;|          |   |               |

  |        |                            |          |   |               |

  |        |&lt;-(D)- Protected Resource --| Resource |   | Authorization |

  | Client |                            |  Server  |   |     Server    |

  |        |--(E)---- Access Token ----&gt;|          |   |               |

  |        |                            |          |   |               |

  |        |&lt;-(F)- Invalid Token Error -|          |   |               |

  |        |                            +----------+   |               |

  |        |                                           |               |

  |        |--(G)----------- Refresh Token -----------&gt;|               |

  |        |                                           |               |

  |        |&lt;-(H)----------- Access Token -------------|               |

  +--------+           &amp; Optional Refresh Token        +---------------+


 </pre>

        <pre style="font-size:13.3333px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)">are &#39;Client&#39; and &#39;Resource Server&#39; Keycloaks&#39; clients?</pre>

        <pre style="font-size:13.3333px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)"></pre>

        <pre style="font-size:13.3333px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)">For example, I have an Android App and a Service (Java Rest service), should both be registered in Keycloak Server like clients?</pre>

      </div>

    </blockquote></span>

    Yes. Theoretically it&#39;s not needed to register your REST Service as

    Keycloak client, but it&#39;s useful for various reasons. For example

    you will be able to propagate admin events from KC admin console to

    it, like push not-before policy.<span class=""><br>

    <blockquote type="cite">

      <div dir="ltr">

        <pre style="font-size:13.3333px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)"></pre>

        <pre style="font-size:13.3333px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)"></pre>

        <pre style="font-size:13.3333px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)"></pre>

        <pre style="font-size:13.3333px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)">The last question is about Refresh token.</pre>

        <pre style="font-size:13.3333px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)"></pre>

        <pre style="font-size:13.3333px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)">When I&#39;m authenticated for achieving an access token through &#39;<a href="http://localhost:8080/auth/realms/demo/protocol/openid-connect/token" target="_blank">http://localhost:8080/auth/realms/demo/protocol/openid-connect/token</a>&#39;, I received a refresh token too.</pre>

        <pre style="font-size:13.3333px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)"></pre>

        <pre style="font-size:13.3333px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)">If I try to get a protected resource by the refresh token I will get access to it... Why is it possible? I thought that refresh token was only for generate new access token. I&#39;m a bit confussed.</pre>

      </div>

    </blockquote></span>

    It&#39;s bug, which is fixed in latest master and will be in 1.6

    release.<br>

    <br>

    Marek<br>

    <blockquote type="cite"><span class="">

      <div dir="ltr">

        <pre style="font-size:13.3333px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)"></pre>

        <pre style="font-size:13.3333px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)"></pre>

        <pre style="font-size:13.3333px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)">I will appreciate any help, thanks.</pre>

        <pre style="font-size:13.3333px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)"></pre>

        <pre style="font-size:13.3333px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)"></pre>

        <pre style="font-size:13.3333px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)"></pre>

        <pre style="font-size:13.3333px;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)"></pre>

        <p><br>

        </p>

        <p><br>

        </p>

      </div>

      <br>

      <fieldset></fieldset>

      <br>

      </span><pre>_______________________________________________

keycloak-dev mailing list

<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>

<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>

    </blockquote>

    <br>

  </div>


</blockquote></div><br></div>