On 14/10/15 18:35, David Ramírez wrote:
Hi guys,
I'm new with Keyloack server, after read the official documentation I
have a couple of questions.
Following the Oauth2 flow:
+--------+ +---------------+
| |--(A)------- Authorization Grant --------->| |
| | | |
| |<-(B)----------- Access Token -------------| |
| | & Refresh Token | |
| | | |
| | +----------+ | |
| |--(C)---- Access Token ---->| | | |
| | | | | |
| |<-(D)- Protected Resource --| Resource | | Authorization |
| Client | | Server | | Server |
| |--(E)---- Access Token ---->| | | |
| | | | | |
| |<-(F)- Invalid Token Error -| | | |
| | +----------+ | |
| | | |
| |--(G)----------- Refresh Token ----------->| |
| | | |
| |<-(H)----------- Access Token -------------| |
+--------+ & Optional Refresh Token +---------------+
are 'Client' and 'Resource Server' Keycloaks' clients?
For example, I have an Android App and a Service (Java Rest service), should both be
registered in Keycloak Server like clients?
Yes. Theoretically it's not needed
to register your REST Service as
Keycloak client, but it's useful for various reasons. For example you
will be able to propagate admin events from KC admin console to it, like
push not-before policy.
The last question is about Refresh token.
When I'm authenticated for achieving an access token through
'http://localhost:8080/auth/realms/demo/protocol/openid-connect/token', I received
a refresh token too.
If I try to get a protected resource by the refresh token I will get access to it... Why
is it possible? I thought that refresh token was only for generate new access token.
I'm a bit confussed.
It's bug, which is fixed in latest master and will be
in 1.6 release.
Marek
I will appreciate any help, thanks.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev