Hi,
as I didn't receive any feedback on this question yet, I will resend it
(perhaps due to pending subscription)
On Tue, Dec 8, 2015 at 12:09 PM, Dirk Franssen <dirk.franssen(a)gmail.com>
wrote:
Hi,
how would one configure Keycloak to obtain following scenario's?
Scenario 1:
client A: public (angular app)
client B: bearer-only (microservice)
client C: bearer-only (microservice)
- microservice B is allowed to call microservice C, but an authenticated
user in the js app A should be forbidden to call microservice C directly.
Scenario 2:
client A: public (angular app)
client B: confidential (1 war with a REST service AND a JSF application,
both using the same EJB business layer which is accessing microservice C)
client C: bearer-only (microservice)
- a user authenticated in the angular app can use the REST service of app
B and will see the results of microservice C, but the user may not call
microservice C directly
- a user authenticated in the JSF application will see the results of
microservice C when using the JSF application, but should not be able to
use microservice C directly (if the user would reuse the same access_token)
- should there be different roles for the REST part and the JSF part of
app B (for accessing microservice C)?
Kind regards,
Dirk