Re: [keycloak-user] Bearer only RESTful service accepts request also without a client configured in Keyclo

I have deployed 2 web-applications - one for the UI and one providing RESTful Services - in one EAR in Wildfly 10, both secured by using the JBoss EAP/Wildfly Adapter, the UI WAR with <public-client>true</public-client>, and the RS WAR with <bearer-only>true</bearer-only>, both with different values for the client-id by <resource>xxxxx</resource>. The UI application propagates the authentication to the REST Services similarly as shown in https://github.com/keycloak/ keycloak/blob/master/examples/demo-template/customer-app/ src/main/java/org/keycloak/example/CustomerDatabaseClient.java . (The only difference is that the access token is provided by the UI Application to an Angular 2 client, which then directly invokes the RESTful services using that token). It works, but I realized, that it also works if there is no client with matching id for the RESTful web-application configured in Keycloak. Is that intended?

Thanks for any clarification, Gunter J4Care _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user