<html><body><div style="color:#000; background-color:#fff; font-family:garamond, new york, times, serif;font-size:14px"><div id="yui_3_16_0_1_1443077983577_4120">Hi, there,</div><div id="yui_3_16_0_1_1443077983577_4120"> </div><div id="yui_3_16_0_1_1443077983577_4120" dir="ltr"> Here is the metaphor about we are working on.</div><div id="yui_3_16_0_1_1443077983577_4120"><br></div><div id="yui_3_16_0_1_1443077983577_4120">Suppose we are a primary school. We'd like to offer a sports club card for our teachers so they can go to excise in weekend. The workflow is simple, </div><div id="yui_3_16_0_1_1443077983577_4120">1) we apply a card from the club.</div><div id="yui_3_16_0_1_1443077983577_4120">2) we give the card to the teacher.</div><div id="yui_3_16_0_1_1443077983577_4120">3) The teacher takes the card to the club to do whatever. </div><div id="yui_3_16_0_1_1443077983577_4120"><br></div><div id="yui_3_16_0_1_1443077983577_4120">With keycloak , we think </div><div id="yui_3_16_0_1_1443077983577_4120"><br></div><div id="yui_3_16_0_1_1443077983577_4120">1)The card is the token</div><div id="yui_3_16_0_1_1443077983577_4120">2) We, the school, are the oauth client </div><div id="yui_3_16_0_1_1443077983577_4120">3) The teacher and the club go with bearer-only .</div><div id="yui_3_16_0_1_1443077983577_4120"><br></div><div id="yui_3_16_0_1_1443077983577_4120"><br></div><div id="yui_3_16_0_1_1443077983577_4120">Based on the understanding above, </div><div id="yui_3_16_0_1_1443077983577_4120"><br></div><div id="yui_3_16_0_1_1443077983577_4120">1) By admin restful endpoints, we( the school) create a user account , reset a whatever password, set the role for the user , and finally acquire this user's access token . In this step. the user is not involved at all. </div><div id="yui_3_16_0_1_1443077983577_4120"><br></div><div id="yui_3_16_0_1_1443077983577_4120">2) We transfer this access token to the user .</div><div id="yui_3_16_0_1_1443077983577_4120"><br></div><div id="yui_3_16_0_1_1443077983577_4120">3) The user now visits the club 's restful endpoints with this token carrying on. </div><div id="yui_3_16_0_1_1443077983577_4120"><br></div><div id="yui_3_16_0_1_1443077983577_4120">Unfortunately, we can not reach the club's resource . The code is 403 forbidden. </div><div id="yui_3_16_0_1_1443077983577_4120"><br></div><div id="yui_3_16_0_1_1443077983577_4120"><br></div><div id="yui_3_16_0_1_1443077983577_4120"><br></div><div id="yui_3_16_0_1_1443077983577_4120">I am not sure whether we get the right idea on bearer-only model or not. Or we missed something</div><div id="yui_3_16_0_1_1443077983577_4120"><br></div><div id="yui_3_16_0_1_1443077983577_4120">Any help will be appreciated. </div><div id="yui_3_16_0_1_1443077983577_4120"><br></div><div id="yui_3_16_0_1_1443077983577_4120"><br></div><div id="yui_3_16_0_1_1443077983577_4120">Mai</div><div id="yui_3_16_0_1_1443077983577_4120"><br></div><div id="yui_3_16_0_1_1443077983577_4120"><br></div><div id="yui_3_16_0_1_1443077983577_4120"><br></div><div id="yui_3_16_0_1_1443077983577_4120"> <br></div><div id="yui_3_16_0_1_1443077983577_4120"><br></div><div id="yui_3_16_0_1_1443077983577_4120"><br></div></div></body></html>