<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div>Hi Bill, further to last comment, i.e. although I can get the token, when I use it to call the same Rest service, I am getting 403 instead.</div><div><br></div><div>I don’t know if this helps or not, but I have also noticed that the console produced different output:</div><div><br></div><div><b>Using non-keycloak client (Did not work - get 403)</b></div><div><br></div><div>15:05:28,228 INFO [org.keycloak.services.resources.TokenService] (default task-1) no authorization header</div><div>15:05:28,345 INFO [org.keycloak.audit] (default task-1) event=LOGIN, realmId=ab9527ff-1dbe-4ce1-934c-ee2e1057d8b7, clientId=admin-client, userId=58cfb6e9-9ff8-45a8-98bb-3a26b341b783, ipAddress=127.0.0.1, <a href="mailto:username=roger@mailinator.com">username=roger@mailinator.com</a>, response_type=token, auth_method=oauth_credentials, refresh_token_id=3730424f-a718-4be8-a9fc-a090e5932564, token_id=dd1bfeaa-54b1-4824-a6fe-d14eb1ae6f97</div><div>15:05:28,547 INFO [org.keycloak.adapters.RequestAuthenticator] (default task-2) --> authenticate()</div><div>15:05:28,548 INFO [org.keycloak.adapters.RequestAuthenticator] (default task-2) try bearer</div><div>15:05:28,566 INFO [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default task-2) checking whether to refresh.</div><div>15:05:28,566 INFO [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default task-2) use realm role mappings</div><div>15:05:28,571 INFO [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default task-2) propagate security context to wildfly</div><div>15:05:28,571 INFO [org.keycloak.adapters.RequestAuthenticator] (default task-2) Bearer AUTHENTICATED</div><div><br></div><div><br></div><div><b>Using keycloak app (similar to customer-cli sample) Work</b></div><div><br></div><div>15:06:30,254 INFO [org.keycloak.services.resources.TokenService] (default task-1) createLogin() now...</div><div>15:06:39,965 INFO [org.keycloak.audit] (default task-2) event=LOGIN, realmId=ab9527ff-1dbe-4ce1-934c-ee2e1057d8b7, clientId=hellokeycloak, userId=58cfb6e9-9ff8-45a8-98bb-3a26b341b783, ipAddress=127.0.0.1, <a href="mailto:username=roger@mailinator.com">username=roger@mailinator.com</a>, response_type=code, redirect_uri=<a href="http://localhost:59999">http://localhost:59999</a>, auth_method=form, code_id=bd10d4cc-9f99-42df-b984-b92093f5a6af1405451199946</div><div>15:06:39,966 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-2) createLoginCookie</div><div>15:06:39,966 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-2) createIdentityToken</div><div>15:06:40,092 INFO [org.keycloak.services.resources.TokenService] (default task-3) no authorization header</div><div>15:06:40,119 INFO [org.keycloak.audit] (default task-3) event=CODE_TO_TOKEN, realmId=ab9527ff-1dbe-4ce1-934c-ee2e1057d8b7, clientId=hellokeycloak, userId=58cfb6e9-9ff8-45a8-98bb-3a26b341b783, ipAddress=127.0.0.1, refresh_token_id=476b2f86-3df4-4cf6-8d51-55aa70264346, code_id=bd10d4cc-9f99-42df-b984-b92093f5a6af1405451199946, token_id=be0358ab-2c28-4bdc-a95c-681b63095217</div><div>15:06:46,567 INFO [org.keycloak.adapters.RequestAuthenticator] (default task-4) --> authenticate()</div><div>15:06:46,568 INFO [org.keycloak.adapters.RequestAuthenticator] (default task-4) try bearer</div><div>15:06:46,584 INFO [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default task-4) checking whether to refresh.</div><div>15:06:46,584 INFO [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default task-4) use realm role mappings</div><div>15:06:46,589 INFO [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default task-4) propagate security context to wildfly</div><div>15:06:46,590 INFO [org.keycloak.adapters.RequestAuthenticator] (default task-4) Bearer AUTHENTICATED</div><div><br></div></body></html>