Hi, there,
 
 Here is the metaphor  about we are working on.

Suppose we are a primary school.  We'd like to offer a sports club card for our teachers so  they can go to excise  in weekend.  The workflow is simple, 
1) we apply a card from the club.
2) we give the card to the teacher.
3) The teacher takes the card to the club to do whatever. 

With keycloak , we think 

1)The card is the token
2) We, the school, are the oauth  client 
3)  The teacher and the club go with bearer-only .


Based on the understanding above, 

1) By admin restful endpoints, we( the school) create a user account , reset a whatever  password, set the role for the user , and finally acquire this user's access token .   In this step. the user is not involved at all. 

2)  We transfer this  access token to the user .

3)   The user now visits the  club 's restful endpoints with this token carrying on. 

Unfortunately,  we can not reach the club's resource . The code is 403 forbidden. 



I am not sure whether we get the right idea on bearer-only model or not. Or we missed something

Any help will be appreciated. 


Mai