On 14/10/15 18:35, David RamÃrez wrote:
Yes. Theoretically it's not needed to register your REST Service as Keycloak client, but it's useful for various reasons. For example you will be able to propagate admin events from KC admin console to it, like push not-before policy.Hi guys,
I'm new with Keyloack server, after read the official documentation I have a couple of questions.
Following the Oauth2 flow:
+--------+ +---------------+ | |--(A)------- Authorization Grant --------->| | | | | | | |<-(B)----------- Access Token -------------| | | | & Refresh Token | | | | | | | | +----------+ | | | |--(C)---- Access Token ---->| | | | | | | | | | | |<-(D)- Protected Resource --| Resource | | Authorization | | Client | | Server | | Server | | |--(E)---- Access Token ---->| | | | | | | | | | | |<-(F)- Invalid Token Error -| | | | | | +----------+ | | | | | | | |--(G)----------- Refresh Token ----------->| | | | | | | |<-(H)----------- Access Token -------------| | +--------+ & Optional Refresh Token +---------------+are 'Client' and 'Resource Server' Keycloaks' clients?For example, I have an Android App and a Service (Java Rest service), should both be registered in Keycloak Server like clients?
It's bug, which is fixed in latest master and will be in 1.6 release.The last question is about Refresh token.When I'm authenticated for achieving an access token through 'http://localhost:8080/auth/realms/demo/protocol/openid-connect/token', I received a refresh token too.If I try to get a protected resource by the refresh token I will get access to it... Why is it possible? I thought that refresh token was only for generate new access token. I'm a bit confussed.
Marek
I will appreciate any help, thanks.
_______________________________________________ keycloak-dev mailing list keycloak-dev@lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev