Hi Bill, further to last comment, i.e. although I can get the token, when I use it to call the same Rest service, I am getting 403 instead.

I don’t know if this helps or not, but I have also noticed that the console produced different output:

Using non-keycloak client (Did not work - get 403)

15:05:28,228 INFO  [org.keycloak.services.resources.TokenService] (default task-1) no authorization header
15:05:28,345 INFO  [org.keycloak.audit] (default task-1) event=LOGIN, realmId=ab9527ff-1dbe-4ce1-934c-ee2e1057d8b7, clientId=admin-client, userId=58cfb6e9-9ff8-45a8-98bb-3a26b341b783, ipAddress=127.0.0.1, username=roger@mailinator.com, response_type=token, auth_method=oauth_credentials, refresh_token_id=3730424f-a718-4be8-a9fc-a090e5932564, token_id=dd1bfeaa-54b1-4824-a6fe-d14eb1ae6f97
15:05:28,547 INFO  [org.keycloak.adapters.RequestAuthenticator] (default task-2) --> authenticate()
15:05:28,548 INFO  [org.keycloak.adapters.RequestAuthenticator] (default task-2) try bearer
15:05:28,566 INFO  [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default task-2) checking whether to refresh.
15:05:28,566 INFO  [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default task-2) use realm role mappings
15:05:28,571 INFO  [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default task-2) propagate security context to wildfly
15:05:28,571 INFO  [org.keycloak.adapters.RequestAuthenticator] (default task-2) Bearer AUTHENTICATED


Using keycloak app (similar to customer-cli sample) Work

15:06:30,254 INFO  [org.keycloak.services.resources.TokenService] (default task-1) createLogin() now...
15:06:39,965 INFO  [org.keycloak.audit] (default task-2) event=LOGIN, realmId=ab9527ff-1dbe-4ce1-934c-ee2e1057d8b7, clientId=hellokeycloak, userId=58cfb6e9-9ff8-45a8-98bb-3a26b341b783, ipAddress=127.0.0.1, username=roger@mailinator.com, response_type=code, redirect_uri=http://localhost:59999, auth_method=form, code_id=bd10d4cc-9f99-42df-b984-b92093f5a6af1405451199946
15:06:39,966 INFO  [org.keycloak.services.managers.AuthenticationManager] (default task-2) createLoginCookie
15:06:39,966 INFO  [org.keycloak.services.managers.AuthenticationManager] (default task-2) createIdentityToken
15:06:40,092 INFO  [org.keycloak.services.resources.TokenService] (default task-3) no authorization header
15:06:40,119 INFO  [org.keycloak.audit] (default task-3) event=CODE_TO_TOKEN, realmId=ab9527ff-1dbe-4ce1-934c-ee2e1057d8b7, clientId=hellokeycloak, userId=58cfb6e9-9ff8-45a8-98bb-3a26b341b783, ipAddress=127.0.0.1, refresh_token_id=476b2f86-3df4-4cf6-8d51-55aa70264346, code_id=bd10d4cc-9f99-42df-b984-b92093f5a6af1405451199946, token_id=be0358ab-2c28-4bdc-a95c-681b63095217
15:06:46,567 INFO  [org.keycloak.adapters.RequestAuthenticator] (default task-4) --> authenticate()
15:06:46,568 INFO  [org.keycloak.adapters.RequestAuthenticator] (default task-4) try bearer
15:06:46,584 INFO  [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default task-4) checking whether to refresh.
15:06:46,584 INFO  [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default task-4) use realm role mappings
15:06:46,589 INFO  [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default task-4) propagate security context to wildfly
15:06:46,590 INFO  [org.keycloak.adapters.RequestAuthenticator] (default task-4) Bearer AUTHENTICATED