[keycloak-user] Bearer only RESTful service accepts request also without a client configured in Keyclo
Gunter Zeilinger
gunterze at gmail.com
Wed Oct 25 07:03:51 EDT 2017
I have deployed 2 web-applications - one for the UI and one providing
RESTful Services - in one EAR in Wildfly 10, both secured by using the
JBoss EAP/Wildfly Adapter, the UI WAR with
<public-client>true</public-client>, and the RS WAR with
<bearer-only>true</bearer-only>, both with different values for the
client-id by <resource>xxxxx</resource>.
The UI application propagates the authentication to the REST Services
similarly as shown in https://github.com/keycloak/
keycloak/blob/master/examples/demo-template/customer-app/
src/main/java/org/keycloak/example/CustomerDatabaseClient.java . (The only
difference is that the access token is provided by the UI Application to an
Angular 2 client, which then directly invokes the RESTful services using
that token).
It works, but I realized, that it also works if there is no client with
matching id for the RESTful web-application configured in Keycloak. Is that
intended?
Thanks for any clarification,
Gunter
J4Care
More information about the keycloak-user
mailing list