On 04/01/17 06:46, Stian Thorgersen wrote:
Currently a bearer-only client can't have a service account and
that seems
like a mistake. Further this prevents bearer-only clients to use the
authorization services.
Is there any good reasons why bearer-only clients can't have service
accounts and be able to obtain token using the client credential grant?
I assumed
that bearer-only client shouldn't be able to have any tokens
and clientSessions, which are dedicated directly to him. It is just REST
service, which "consumes" the access tokens created for other clients.
Also the flag name "Bearer-only" states exactly this. That's the main
reason why I did it that way for service accounts.
I can't see any big issue with bearer-only client being able to have
service account. There are just few things, which will need to be done
though (eg. tabs "Mappers" and "Scopes" will need to be enabled for
bearer-only clients with enabled service account etc).
Marek
The only thing a bearer-only client should be prevented to do IMO is
authenticate users (authorization code flow and resource owner credential
grant).
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev