Hi guys,
I'm new with Keyloack server, after read the official documentation I have a couple of questions.
Following the Oauth2 flow:
+--------+ +---------------+ | |--(A)------- Authorization Grant --------->| | | | | | | |<-(B)----------- Access Token -------------| | | | & Refresh Token | | | | | | | | +----------+ | | | |--(C)---- Access Token ---->| | | | | | | | | | | |<-(D)- Protected Resource --| Resource | | Authorization | | Client | | Server | | Server | | |--(E)---- Access Token ---->| | | | | | | | | | | |<-(F)- Invalid Token Error -| | | | | | +----------+ | | | | | | | |--(G)----------- Refresh Token ----------->| | | | | | | |<-(H)----------- Access Token -------------| | +--------+ & Optional Refresh Token +---------------+
are 'Client' and 'Resource Server' Keycloaks' clients?
For example, I have an Android App and a Service (Java Rest service), should both be registered in Keycloak Server like clients?
The last question is about Refresh token.
When I'm authenticated for achieving an access token through 'http://localhost:8080/auth/realms/demo/protocol/openid-connect/token', I received a refresh token too.
If I try to get a protected resource by the refresh token I will get access to it... Why is it possible? I thought that refresh token was only for generate new access token. I'm a bit confussed.
I will appreciate any help, thanks.