Set fix version on the issue to 3.0.0.CR1. It's not critical now, but we
should do it.
On 6 January 2017 at 16:05, Marek Posolda <mposolda(a)redhat.com> wrote:
On 04/01/17 06:46, Stian Thorgersen wrote:
> Currently a bearer-only client can't have a service account and that seems
> like a mistake. Further this prevents bearer-only clients to use the
> authorization services.
>
> Is there any good reasons why bearer-only clients can't have service
> accounts and be able to obtain token using the client credential grant?
>
I assumed that bearer-only client shouldn't be able to have any tokens and
clientSessions, which are dedicated directly to him. It is just REST
service, which "consumes" the access tokens created for other clients. Also
the flag name "Bearer-only" states exactly this. That's the main reason
why
I did it that way for service accounts.
I can't see any big issue with bearer-only client being able to have
service account. There are just few things, which will need to be done
though (eg. tabs "Mappers" and "Scopes" will need to be enabled for
bearer-only clients with enabled service account etc).
Marek
>
> The only thing a bearer-only client should be prevented to do IMO is
> authenticate users (authorization code flow and resource owner credential
> grant).
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>